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Introduction 


Our annual report is split into three sections. 


The first section is our Performance report, which reviews our work across 
2020/21. The sections set out our key achievements, with case studies providing 
in-depth examination of some of our most impactful work. 


This section concludes with statistics covering the full range of our operational 
performance, Summary reports on our financial performance, sustainability and 
whistleblowing disclosures made to us, and a statement on the ICO’s status as a 
going concern. 


The second section is our Accountability report, which includes declarations 
regarding corporate governance, remuneration and staffing, and parliamentary 
accountability and audit reporting. In this section we also provide further detail 
about our internal structures. 


The report concludes with our Financial statements, comprising our financial 
performance. 
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Information Commissioner’s foreword 


This Annual Report covers a period unprecedented in our history, which brought 
challenges to us all. The ICO was not exempt from these challenges. 


In March 2020, we closed our offices, and our 800 staff worked from home. Most 
of our activity would be conducted this way for the entire period this report 
covers. 


As our environment changed, so did our work. The use of data has been central 
to the response to COVID-19, from keeping people safe to managing the impact 
on society and the economy. That meant my office has been at the centre of so 
many of the key issues that have had a real impact on individuals, from ensuring 
data protection considerations were built into contact tracing solutions to 
emphasising the value of transparency and documentation of government 
decision making. A full analysis of how we responded to the challenges of 
COVID-19 will be covered in a separate report to parliament, which we plan to 
publish over the summer. 


COVID-19 also prompted a transformation in the role of digital services. Our 
lives are now more digital than ever before: the past year has seen spikes in the 
use of online services to learn, stay in touch with others, keep fit and stay 
healthy. That impacts my office: our work is now more often complex and high 
profile, and increasingly overlaps with other areas of regulation. 


This annual report shows how we have successfully risen to these challenges, 
producing what I believe is this office’s most significant body of work. 


Our successes are testament to the hard work and expertise of the ICO’s staff, 
and the foundations of the modern ICO laid across the past five years. 


In that time the office has almost doubled in headcount, with a focus on 
increasing our technical, legal, and economic expertise. We have built 
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partnerships with other regulators and developed our international relationships 
and influence. We have benefited from our commitment to equality and 
diversity. And we have strengthened our Management Board, to whom I am 
personally grateful for their continuing support and guidance. 


More than all of that though, the ICO has developed a confidence in who we are. 
The work outlined in this report demonstrates a modern, independent ICO that 
has the courage to take on the complex data protection of the day, and 
resources and expertise to back that courage. 


That confidence sets us up for future success. The National Data Strategy sets 
out how the UK is well placed to reap the benefits data can bring in the coming 
years, both to our economy and to our society. The ICO will be central to that 
work, encouraging innovation and ensuring that data is managed, protected, and 
respected to unlock its full impact. Most of all, we will continue to demonstrate 
that data protection is, at its core, about trust: the digital opportunity before us 
today will only be realised where people trust their data will be used fairly and 
transparently. 


In my final Annual Report as Commissioner, I will conclude with a simple note of 
thanks. Every day I have worked at the ICO I have been impressed and inspired 
by the commitment and passion of the staff across our offices. It remains one of 
the greatest privileges of my life to work with such dedicated colleagues and I 
am grateful for their support. 


x ^ 


Elizabeth Denham 
22 June 2021 
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Senior Independent Director’s Report 


I am pleased to be writing this introduction at the conclusion of my first year in 
the new role of Senior Independent Director at the ICO. 


I echo Elizabeth’s comments that 2020/21 has been an extremely busy and 
successful year for the ICO. COVID-19 was clearly a large driver for our work. I 
am immensely proud of what the ICO has done this year to help to protect 
vulnerable people from scams, ensure that our regulatory approach took account 
of the new ways of working and the use of personal data in the pandemic and 
supported businesses to thrive in this challenging environment. Our regulatory 
work has been hugely important and impactful. 


I would like to take this opportunity to thank everyone in the ICO who has 
worked to ensure that the organisation, at every level, has been able to operate 
effectively and efficiently during an extremely challenging year. The ICO's 
achievements during this year are a testament to the commitment, ambition and 
determination of the staff throughout the organisation, and reflects the work put 
in to develop the ICO across recent years. 


Ensuring that the ICO is set up to enable it to continue to develop in the future 
has been a focus for the Board over the past year. I have been working with 
DCMS to continue building on the strong relationships between the ICO and our 
sponsor Department, including supporting the recruitment process for the next 
Information Commissioner. 


Recognising the considerable breadth of personal statutory responsibilities of the 
Information Commissioner, we have also strengthened our governance 
infrastructure during this reporting period. In addition to the introduction of a 
Senior Independent Director, the Board has introduced governance 
infrastructure more typically found in more traditional statutory regulators, 
whilst respecting the ultimate authority of the role of Commissioner as a 
Corporation Sole. These arrangements ensure the collective Management Board 
can provide the highest possible level of support and challenge to the 
organisation. 


2020/21 was the last full year of Elizabeth Denham’s term as Information 
Commissioner. There can be no doubt that Elizabeth has transformed the ICO 
during her time as Commissioner and has ensured that the ICO is at the heart of 
discussions on data protection issues both in the UK and across the world; she 
has remarkable powers to communicate, lead and inspire. I, and the rest of the 
Board, am grateful to her for agreeing to extend her term to facilitate a smooth 
transition to her successor and we all wish her well in the next stage of her 
career. 


Nicola Wood 
22 June 2021 
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Our mission, vision, strategic 
goals and values 


Our mission 


To uphold information rights for the UK public in the digital age. 


Our vision 


To increase the confidence that the UK public have in organisations that 
process personal data and those which are responsible for making public 
information available. 


Our strategic goals — 2016 to 2021 


i 


To increase the public’s trust and confidence in how data is used 
and made available. 


. Improve standards of information rights practice through clear, 


inspiring and targeted engagement and influence. 


. Maintain and develop influence within the global information 


rights regulatory community. 


. Stay relevant, provide excellent public service and keep abreast of 


evolving technology. 


. Enforce the laws we help shape and oversee. 


. To be an effective and knowledgeable regulator for cyber-related 


privacy issues. 
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Our values 

Ambitious — Working boldly, ready to test boundaries and take 
advantage of new opportunities; working with a 
sense of genuine urgency, continuously improving 
when striving to be the absolute best we can be. 

Collaborative- ^ Working towards achieving our goals, supporting 


one another whilst seeking and sharing information 
and expertise and working effectively with a range 
of partners to achieve our collective objectives. 


Service focused — Working impartially and ethically to provide 


excellent services - continuously innovating to 
remain relevant to the environment we regulate. 
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The legislation we regulate 


The Data Protection Act 2018 (DPA 2018) and the General Data Protection 
Regulation (GDPR) both commenced in May 2018 and build on and enhance 
the rights of individuals relating to personal data; including the right to know 
what information is held about them and the right to correct information that is 
wrong. The legislation also obliges organisations to manage the personal 
information they hold in an appropriate way. The GDPR was replaced by the UK 
General Data Protection Regulation (UK GDPR) following the UK’s exit from 
the European Union. 


The Freedom of Information Act 2000 (FOIA) gives people a general right of 
access to information held by most public authorities. Aimed at promoting a 
culture of openness and accountability across the public sector it enables a 
better understanding of how public authorities carry out their duties, why they 
make the decisions they do and how they spend public money. 


The Environmental Information Regulations 2004 (EIR) provide an 
additional means of access to environmental information. The EIR cover more 
organisations than FOIA, including some private sector bodies, and have fewer 
exemptions. 


The Privacy and Electronic Communications Regulations 2003 (PECR) 
regulate the use of electronic communications for the purpose of unsolicited 
marketing to individuals and organisations, including the use of cookies. 


The Network and Information Systems Regulations 2018 (NIS) are derived 
from the European NIS Directive, which establishes a common level of security 
for network and information systems. These systems play a vital role in the 
economy and wider society, and NIS aims to address the threats posed to them 
from a range of areas, most notably cyber-attacks. 


The Infrastructure for Spatial Information in the European Community 
Regulations 2009 (INSPIRE) give the Information Commissioner enforcement 
powers in relation to the pro-active provision by public authorities of 
geographical or location-based information. 


The Re-use of Public Sector Information Regulations 2015 (RPSI) gives 
the public the right to request the re-use of public sector information and details 
how public bodies can charge for re-use and license the information. The ICO 
deals with complaints about how public bodies have dealt with requests to re- 
use information. 


The Investigatory Powers Act 2016 (IPA) imposes duties on communications 
service providers when retaining communications data for third party 
investigatory purposes where they have been issued with a notice from the 
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Secretary of State. The Information Commissioner has a duty to audit the 
security, integrity and destruction of that retained data. 


The Electronic Identification and Trust Services for Electronic 
Regulations 2016 (eIDAS) sets out rules for the security and integrity of trust 
services including electronic signatures, seals, time stamps and website 
authentication certificates. The ICO has a supervisory role towards organisations 
providing these trust services, including being able to grant qualified status to 
providers and the ability to take enforcement action. 


The Enterprise Act 2002 sets various reforms to competition law and 
consumer law enforcement in the UK. Part 8 of the Enterprise Act deals with 
provisions for the enforcement of consumer protection legislation. The ICO has 
powers under Part 8 of the Enterprise Act as a “designated enforcer” in relation 
to domestic and infringements listed in Schedule 13 of the Enterprise Act. The 
ICO is also a “Schedule 13” enforcer which gives us additional powers in relation 
to infringements listed in Schedule 13 of the Act. 
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Introduction 


A year in review 


As with last year, we have set out our achievements and successes in six 
categories, all of which contribute to the strategic goals set out in our 
Information Rights Strategic Plan. 


Our work is informed by our annual track, a survey of over 2,000 people that the 
ICO commissions each year. The research helps us to understand what people 
think about data protection and freedom of information, as well as giving us a 
greater understanding of how people look to utilise their rights. 


The survey, carried out by Harris Interactive in early 2021, showed that public 
trust and confidence in in companies and organisations storing and using their 
personal information remains consistent. Just under three in ten (28%) of people 
have high trust and confidence (compared with 27% in 2020), with a similar 
number stating they have low trust and confidence (29%, compared with 28% in 
2020). Over three quarters of people (77%) agreed that protecting their 
personal information is important to them. 


1. Supporting the public 
Our role includes helping people understand how their data is used and 
protecting people’s rights. 


We prioritised transparency and fairness when scrutinising innovative 
responses to the challenges brought by COVID-19, so people could see how 
their rights had been respected. 


2. Enabling innovation and economic growth 


Data protection can support innovation, by encouraging public trust in 
emerging technologies. 


Our guidance around artificial intelligence is helping innovators to develop 
new products and services that earn public trust through built-in data 
protection. 
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3. Raising global data protection standards 


The ICO's international influence helps to raise data protection standards 
worldwide. 


Our Age Appropriate Design Code will start to have a real impact on global 
data standards in 2021, and we have provided support to help organisations 
adapt their online products and services. 


4. Taking regulatory action 


The ICO offers consistent regulation, with clarity for business through our 
accessible guidance. 


Our regulatory action is focused on supporting organisations to meet their 
legal requirements, while we reserve our proportionate enforcement only for 
where it is required. 


5. Supporting the public sector 


Successful innovation in the public sector often requires the public's trust in 
how their data is used, shared and kept safe. 


Our Freedom of Information work is an important part of this, and our FOI 
Toolkit has proved successful in helping public authorities to handle requests 
better. 


6. Delivering the ICO service experience 


The ICO is committed to a service-focused approach across our work. 


The impact of COVID-19 


The ICO had an important role to play in supporting the country's response to 
COVID-19. 


The pandemic showed the power of data in supporting innovative responses to 
the challenges society faced, notably through national exposure notification apps 
and contact tracing. This annual report includes details of the ICO's role in 
providing advice and expertise to Government and public authorities on these 
projects, ensuring the consideration of people's rights was built in at an early 
stage of their development. The report also outlines work to promote data 
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sharing in the pandemic response, protect vulnerable people from COVID-19- 
related scams and frauds, and provide privacy information to the public around 
COVID-19 related issues. 


From the outset of the pandemic, the ICO recognised the uncertain and 
challenging environment the organisations we regulate found themselves in, as 
well as the potential impact on our own resources. In April 2020, we published 
the regulatory response we would take during the pandemic!, which we then 
reviewed and updated in July? and September’. In this annual report, we set out 
how we worked with businesses, notably by offering practical support on the 
new data protection questions that the pandemic asked of organisations, 
through our coronavirus information hub, and through dedicated advice to the 
public sector. We also set out how we supported our staff throughout the year. 


Our published regulatory response also considered the impact of the pandemic 
on access to information rights. We took a pragmatic approach, taking into 
consideration the impact the pandemic had on public authorities, while 
reiterating the value of transparency and good recordkeeping throughout an 
historically important period. 


The ICO's role in the pandemic response will be outlined in more detail in a 
report to Parliament, due to be published before the summer. The report will 
include details of the lessons learned that will inform our future approach, and 
our regulatory perspective on how the data protection legislative framework has 
responded to the public policy delivery challenges arising during the pandemic. 


will- regulate- during- coronavirus/ 


? https://ico.org.uk/about-the-ico/news-and-events/news-and- 
blogs/2020/07/information-commissioner-updates-on-the-ico-s-regulatory-approach- 


during-covid-19-and-beyond/ 
3 nttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/09/open- 


letter-from-uk-information-commissioner-elizabeth-denham-to-uk-organisations 
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The year in summary 


May 2020 


04 Elizabeth Denham and Simon 
McDougall set out the ICO’s 
expectations on how contact tracing 
solutions should be developed in line 
with the data protection standards, 
while appearing before the Joint 
Committee on Human Rights. 


05 The ICO publishes its reshaped 
priorities, focused on protecting the 
public interest, enabling responsible 
data sharing and monitoring intrusive 
and disruptive technology. 


July 2020 


01 The ICO, the Competition and Markets 
Authority and Ofcom announce the 
formation of the Digital Regulation 
Cooperation Forum to help ensure 
online services work well for 
consumers and businesses. 


17 Self-assessment Freedom of 
Information toolkit launched to give 
practical help to public authorities, 
with an initial focus on timeliness of 
responses. 


30 Guidance on Artificial Intelligence is 
published, containing 
recommendations for organisations on 
best practice and technical measures. 


September 2020 


02 The Age Appropriate Design Code 
comes into effect, triggering the 12 
month transition period. 


17 Accountability framework launched to 
make it easier for organisations to 
assess the risks they create and take 
appropriate action. 


April 2020 


15 The ICO sets out its adjusted 


regulatory approach during the 
coronavirus pandemic, acknowledging 
the exceptional circumstances, the 
important role that people's information 
rights have, and the flexibility the law 
gives for a pragmatic and empathetic 
regulator. 


17 Formal Opinion published setting out 
current thinking on Google and Apple's 
joint tracing initiative. 


June 2020 


12 Elizabeth Denham details the overlap 
between modern data protection 
regulation and competition law before 
the OECD Competition Committee. 


18 Investigation report on the use of 
mobile phone extraction by police forces 
recommends measures to improve 
compliance with data protection law and 
regain public confidence. 


August 2020 


19 Regulatory sandbox reopens with a 
focus on children's privacy and data 
sharing. 


27 Annual ICO survey shows value of good 
data protection in encouraging public 
trust. 
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18 Elizabeth Denham blog published 
setting out the ICO’s regulatory work 
regarding COVID-19 apps. 


24 Elizabeth Denham open letter to UK 
organisations published regarding the 
ICO's adjusted approach during 
COVID-19. 


November 2020 


11 Summary of the audit reports into the 
data protection practices of seven of 
the UK's political parties is published. 


12 Elizabeth Denham speaks about the 
role of trust in innovation at the Open 
Data Institute's virtual summit. 


12 Report into the information access 
request performance of police forces 
in England, Wales and Northern 
Ireland highlights areas for 
improvement. 


13 Ticketmaster UK Limited fined £1.25m 
for failing to protect its customers’ 
payment details. 


January 2021 


12 ICO give evidence at the Public 
Services Select Committee, and two 
weeks later at the Digital, Culture, 
Media and Sport Sub committee. 


22 Investigation into real time bidding 
and the adtech industry resumes, 
after a pause while activities 
responding to COVID-19 were 
prioritised. 


27 Fines totalling £480,000 issued to four 
separate companies for making 
millions of nuisance calls. 


28 ICO launches the final phase of the 
privacy innovation grants programme 
on Data Protection Day. 


March 2021 


03 Elizabeth Denham delivers a speech at 


the Oxford Internet Institute, reflecting 


on regulating data protection in 2021. 


09 Political campaigning guidance published, 
to ensure consistent application of data 
protection standards where new digital 


campaigning techniques are used. 


October 2020 


06 Elizabeth Denham blog published on the 
conclusion of the ICO's investigation into 
the use of personal data in political 
campaigning. 


13 ICO chairs Global Privacy Assembly 
closed session, with focus on continued 
modernisation of the international 
regulatory network. 


16 British Airways fined £20m for data 
breach, followed two weeks later by a 
£18.4m fine for Marriot International Inc. 


27 Enforcement action against Experian 
announced as report into data protection 
compliance in the direct marketing data 
broking sector is published. 


December 2020 


09 Data analytics toolkit to help police 
forces launched. 


11 Memorandum of Understanding signed 
with Global Cyber Alliance. 


17 Data sharing code of practice published, 
accompanied by a suite of new resources 
to help and encourage responsible data 
sharing. 


21 Elizabeth Denham urges UK businesses 
to prepare for the end of the transition 
period in order to keep data flowing. 


February 2021 


09 The ICO supports Safer Internet Day 
2021 by highlighting the importance of 
protecting children within the digital 
world. 


17 Data analytics toolkit launched, as part 
of the ICO's work to support 
organisations using AI. 


19 ICO issues statement in response to the 
publication of the draft adequacy 
decision from the European Commission. 
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Section 1: Supporting the public 


The first goal in the ICO’s Information Rights Strategic Plan is increasing public 
trust and confidence in how data is used and made available. 


Data-driven innovation and the digital economy bring so many benefits to 
society, but success relies on individuals trusting their personal data will be used 
fairly and lawfully. 


The role of the regulator is central to that public trust. Despite the challenges of 
COVID-19 in 2020/21, the ICO resolved more than 30,000 complaints made by 
members of the public concerned that their data rights had not been respected. 


We also played a proactive role in helping the public to make informed decisions 
about how personal data is used, both through our YourDataMatters social media 
campaign and through our media work. 


Representing people’s rights 

New and innovative uses of people’s personal data have been central to society’s 
response to the challenges brought by COVID-19. From national COVID-19 
exposure notification apps to contact tracing, people’s information has been used 
to protect public health and minimise the disruption we all face. 


The ICO has taken a pragmatic approach, supporting public health innovation 
and reflecting the flexibility of data protection law. We have made sure people’s 
data is being used fairly, lawfully and transparently. 


The result was that the necessary consideration of people’s data protection 
rights was built into national exposure notification apps, with our feedback 
prompting changes in areas such as transparency and improved privacy 
information. We also influenced the data protection by design approach, that 
ensured data collected and shared was minimised. Our regulatory role continued 
beyond the launches of these apps and included an audit of the Test and Trace 
ecosystem in early 2021. 


Our work representing people’s rights also focused on the use of live facial 
recognition technology. Elizabeth Denham spoke to the Oxford Internet Institute 
about the importance of public trust in innovative data use. We also contributed 
our expertise as the Court of Appeal looked at the use of the technology by 
police forces*. Our input pointed to the importance of a clear legal framework in 
encouraging public trust and confidence in the police and their actions, and we 
welcomed the judgment that provided clarification in this key area. 


^ https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/08/ico- 


statement-on-the-court-of-appeal-judgment/ 
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We have also continued our work representing people’s data protection rights 
around political campaigning. Digital campaigning can help parties keep in touch 
with people more efficiently, inform voting decisions and improve engagement 
with hard-to-reach groups. The ICO has worked with parties and campaign 
groups to make clear the rules that must be followed when personal data is 
used, such as when profiling voters to target digital advertising. In November 
2020, we published a summary of our audits of seven of the UK’s political 
parties, and in March 2021 we published updated guidance on the use of 
personal data in political campaigning. We continue to enable the political parties 
to use data transparently and lawfully. 


The ICO continues to provide independent regulatory advice to the government 
in relation to the UK’s application for our data protection regime to be considered 
adequate for data transfers from EU countries. We welcomed the government’s 
commitment to high data protection standards and continue to provide expert 
regulatory advice on how the UK’s data protection framework works in practice, 
its key role in protecting individuals’ information rights, and the way it can 
support innovative data use. 


Working with Parliament 


The Commissioner appeared five times before Parliamentary Committees during 
2020/21. In addition, the ICO provided briefings to parliamentarians on issues 
such as Freedom of Information, the response to COVID-19, and data sharing. 


The Commissioner discussed the privacy implications of contact tracing apps 
across the UK when giving evidence to the Joint Committee on Human Rights in 
May 2020. The appearance also shone a spotlight on the Commissioner’s dual 
role as a regulator: providing early advice to organisations to help them address 
risks and realise their accountability obligations to get data protection and 
privacy protections ‘right first time’; and supporting the public with our strong 
powers to address complaints and concerns after data usage has occurred. 


In July 2020 and January 2021, the Commissioner and Deputy Commissioner 
(Regulatory Strategy) detailed the ICO’s support of data sharing to the Public 
Services Committee. The Commissioner also welcomed feedback from the 
Committee on children’s data and is working with others, including the Children’s 
Commissioner, on further information in this area. Further information about the 
ICO’s work in these areas is provided later in the report. 


At the Lords Liaison Committee on AI in October 2020, the Deputy 
Commissioner (Executive Director - Technology and Innovation) spoke about 
the ICO's experience in the AI regulatory landscape. The use of personal data is 
intrinsic to so many examples of AI, and we outlined the support we offer to 
industry, notably through practical advice such as our work with the Alun Turing 
Institute to produce guidance for those designing AI enabled digital tools. 
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Finally, in a wide-ranging accountability session in January 2021 with the DCMS 
Committee, the Commissioner and the Deputy Chief Executive Officer and Chief 
Operating Officer answered questions about our investigation into the use of 
personal data in political campaigning, protecting children online, regulating 
large technology platforms, the efficacy of the Freedom of Information Act, and 
the ICO’s journey of growth and learning whilst bringing in and administering the 
UK GDPR. 


Protecting vulnerable people 


In addition to our broader work protecting people’s rights throughout the 
pandemic, we identified the risk of COVID-19-related scams and frauds, targeted 
at vulnerable people. 


This was a major area of focus for the ICO from an early stage, protecting the 

public in a regulatory space that might typically see the overlap of data misuse 
and breach of the Privacy and Electronic Communication Regulations covering 

nuisance calls and texts. 


We worked alongside Action Fraud, Trading Standards, law enforcement and 
other relevant agencies to protect people. Our work included educating people 
around the risk of these scams and offering tips on what to look out for. 


We also acted against companies who used nuisance marketing calls and texts 
to play upon people’s concerns at a time of great public uncertainty. We issued a 
penalty of £60,000 to a firm that sent text messages promoting a hand- 
sanitising product?, and penalties totalling £110,000 to three companies who 
sent unlawful marketing messages to sell face masks? 7” 8, 


Informing the public 


The ICO has provided privacy information to the public around COVID-19-related 
issues. This included informing people of their rights around contact tracing?, 
testing and health data sharing!?. We also warned people of the risks of 
fraudsters looking to take advantage of the pandemic. 


Age Appropriate Design Code 


The Age Appropriate Design Code sets out standards that online services need to 
follow around children's personal data. It completed the parliamentary process in 


5 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/09/ico-fines- 
compan -floutin -the- law- in-order-to-profiteer-from- the- -coronavirus-pandemic 


action- -against- company -for-sending-spam-emails-selling-face-masks-during-pandemic/ 


? https://ico.org.uk/your-data-matters/your-data-matters-blog#24september2020 
10 https://ico.org.uk/your-data-matters/your-data-matters-blog/#23june2020 
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August 2020 and came into force three weeks later. A transitional period, aimed 
at giving organisations time to make the necessary changes to put children’s 
privacy at the heart of their design, ends on 2 September 2021. 


The code breaks new ground as regulatory guidance focused on a ‘by design 
approach’ and is a huge step toward protecting children online. All major social 
media and online services used by children in the UK will need to conform to the 
code, giving the impact an international reach. 


The ICO has provided a tailored package of support to help organisations adapt 
their online products and services, as well as engaging businesses internationally 
on the requirements, including work with the US Chamber of Commerce and 
Global Counsel. ICO research in early 2020 showed that three quarters of 
business are aware of the code. 


Section 2: Enabling innovation and economic growth 


Data protection law in the UK was born out of a concern that the potential of 
emerging computer-based innovation would be lost without people’s trust. 


At the ICO, we take our responsibilities to enable innovation and economic 
growth seriously. We take a proactive approach, working with organisations to 
encourage good practices that assure people their data protection rights are 
being respected. This year has seen continued investment and growth to support 
our ability to support innovation and stay ahead of technological change. We 
continue to be visible in the business communities we support, with the 
Commissioner delivering keynote addresses at events organised by the Open 
Data Institute, TechUK, City Week and the Centre for Information Policy 
Leadership. 


Encouraging innovation 


Enabling good practice in artificial intelligence is one of the ICO’s priorities, 
recognising both the potential benefits the technology can bring society and the 
importance of public trust in how their data is used. 


In July, we published guidance to help organisations mitigate the data protection 
risks associated with AI projects, without losing sight of the benefits such a 
project can deliver. That work sits alongside our guidance produced with The 
Alan Turing Institute to give organisations practical advice to help explain 
processes, services and decisions assisted by AI, and will soon be supported by a 
detailed AI Risk Toolkit, providing a detailed and practical approach to risk 
managing data protection in AI. 


The theme of transparency around innovation is part of our continued regulatory 
sandbox. The scheme offers dedicated advice and support to organisations that 
are developing products and services that use personal data in innovative ways. 
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This year we have been able to help NHS Digital in setting up their COVID-19 
vaccine trial registry, an organisation looking to use student activity data to 
support wellbeing, a company working to mitigate bias in biometric identity 
verification technology, and an analytics platform that uses pseudonymised 
transaction data to combat financial crime. We have also supported the 
international development of regulatory sandboxes, working with our equivalent 
bodies in Norway and France, and contributing to an OECD study on the 
effectiveness of sandboxes in encouraging innovation. 


Our Innovation Hub provides similar expert advice to regulators and businesses 
with a focus on enabling organisations to build privacy by design into their 
innovation and development. This year marked the end of the initial project, 
which was funded by the BEIS Regulators’ Pioneer Fund. Across 18 months, the 
Hub offered expertise to a wide range of projects, including assisting the 
Financial Conduct Authority’s regulatory sandbox, advising the Medicines and 
Healthcare products Regulatory Agency on the use of synthetic datasets and 
working with the Solicitors Regulation Authority to widen the public’s access to 
legal advice and support. In August, we were pleased to announce the ICO’s 
commitment to retaining the Hub on a permanent basis. The Hub, in common 
with much of our work to encourage innovation, helps to minimise compliance 
costs by making it easier for organisations to access expert support, which in 
turn enables growth for compliant controllers. 


This year we selected research projects for the third round of our grants 
programme, established to encourage research and privacy innovation in 
significant areas of data protection risk. The programme was set up to have a 
genuine impact on the UK information rights environment and improve public 
trust in how personal data is used. 


We supported projects that facilitated transparency around AI, big data and 
machine learning, as well as on research that supports children’s rights, in line 
with our Age Appropriate Design Code. The projects we funded looked at smart 
homes, adtech and biometric technologies. We also launched the selection 
process for the fourth phase of the programme. This will be the final round of 
the current programme, after which we will produce a report reviewing the 
scheme’s success to inform the future of the project. 


Working with businesses 


Our advice and support focus firmly on enabling innovation to happen. We want 
to work alongside organisations, helping them to make changes and 
improvements to comply with the law to reduce mistakes and misuse of people’s 
data. 


Throughout COVID-19, we prioritised offering practical support on the new data 
protection questions that the pandemic asked of organisations. Our coronavirus 
information hub helped thousands of businesses with advice on working from 
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home, collecting customer details for contact tracing and testing staff for 
coronavirus. We also introduced a phone line specifically to help organisations 
adapt the way they work during the pandemic, to ensure that data protection 
was not seen as an unnecessary barrier to achieving what they needed to for 
their customers, service users and staff. 


Our accountability framework is another example of the ICO working alongside 
organisations to improve practices. It is a practical tool designed to help 
organisations manage their approach to privacy, setting out a roadmap on what 
changes they need to make and how they can improve. We continue to develop 
the framework and have been pleased with the positive feedback around the 
practical ways it is helping organisations to embed accountability practices. 


Feedback on our detailed Subject Access Request guidance was similarly 
positive. The practical guidance was published in October and was shaped by 
more than 350 responses to our consultation from organisations of all sizes and 
sectors. The right of access to data is a cornerstone of data protection law, and 
our guidance is helping organisations to handle requests effectively and 
efficiently. 


This year we transformed our approach to advising and supporting small 
organisations, further developing a dedicated area of our website with the needs 
of small businesses, sole traders and SMEs in mind. Our data protection advice 
hub for small organisations has helped to reduce regulatory uncertainty for small 
businesses and means those in need of our help can find the answers they need 
more easily and is in addition to our dedicated helpline and live chat services. 


For more established businesses, we are developing an advisory check-up 
service to identify what a business needs to do to become more efficient and 
effective in their data protection practices. These one-to-one sessions are 
already helping ensure businesses have the right tools and resources to develop 
and thrive - and we have used the insights gained from these sessions to update 
and improve our guidance for all small organisations. 


Enabling economic growth 


The ICO is committed to ensuring that consideration of economic impact is 
factored into our regulatory work, and the Regulators’ Code?! requires us to take 
account of how we might support or enable economic growth. 


Over the past year, we have continued our focus on improving our analysis and 
understanding of the economic impact of our work. Our expanded economic 
analysis team has conducted impact analysis and led training for staff to better 
enable the use of proportionate and effective approaches to regulation. 


11 https://www.gov.uk/government/publications/regulators-code 
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All this work appreciates the increased role data protection rights have in the 
UK’s economic health. Data privacy considerations are central to stimulating 
digital growth, regulating competition and efficient delivery of public services. 
With that in mind, cooperation with regulatory partners remains central to our 
work. 


In July 2020, the ICO worked with the Competition and Markets Authority and 
Ofcom to establish a new forum to help ensure online services work well for 
consumers and businesses in the UK. The Digital Regulation Cooperation Forum 
strengthened existing collaboration and coordination between the three 
regulators, and brings together collective expertise on data, privacy, 
competition, communications and content regulation. The Financial Conduct 
Authority joined as a member in April 2021. A workplan for the Forum was 
published in March 20217, setting out an intention to increase the scope and 
scale of cooperation in the coming year. Such cooperation will include the ICO's 
continued support of the new Digital Markets Unit, overseen by the Competition 
and Markets Authority. 


The ICO also continues to be an active member of the UK Regulators' Network. 
The Network's latest workplan includes a focus on enabling investment to 
support economic recovery, resilience and growth, with the ICO's contribution 
including sharing advice around enabling responsible data sharing”. 


Section 3: Raising global data protection standards 


When UK consumers download an app, or sign up to a digital service, or interact 
with a website, they expect a level of data protection regardless of where in the 
world the company providing the service is based. 


That is why the ICO's work to raise data protection standards, both domestically 
and internationally, is so important. Increased standards improve consumer 
confidence in data-driven innovation, and ensure a level playing field for UK 
businesses competing internationally. 


The Age Appropriate Design Code (discussed earlier) is a good example of action 
that will start to have a real impact on global data protection standards in 2021, 
and has also influenced international instruments, such as the OECD's revised 
Recommendation on Children and the Digital Environment. 
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Supporting organisations as the UK left the EU 


The ICO continued to support organisations following the UK’s withdrawal from 
the EU in January 2020. We provided advice and guidance to businesses and the 
public sector throughout 2020, in preparation for the end of the transition period 
in December 2020, with a focus on education around the instruments businesses 
could use to maintain their data flows from the EU, including in the event of the 
UK not achieving an adequacy decision. This included detailed work around the 
use of Standard Contractual Clauses to transfer data from the UK to countries 
outside of the EEA (European Economic Area). 


We welcomed the Treaty agreed by Government with the EU to allow personal 
data to flow freely from the EU and EEA to the UK while adequacy decisions were 
adopted later in 2021. We continue to update businesses on progress, as well as 
publishing updated advice to enable data transfers to countries outside of the 
EEA. 


In 2021, we provided independent regulatory advice to support the Government 
around the UK’s application for adequacy with EU data protection rules. We also 
welcomed the Government’s commitment to ensuring a continued high level of 
personal data protection and high international standards. 


Chairing the Global Privacy Assembly (GPA) 


As the international forum for data protection and privacy authorities, the GPA 
had a significant role to play during the pandemic. The Assembly was the leading 
global voice for privacy authorities, as well as offering a platform for best 
practice sharing as regulators around the world faced the same data protection 
questions and challenges. 


The ICO played a vital role in this work, with the Information Commissioner 
continuing to chair the Assembly, and the office providing the Secretariat. 


That role extended to organising and hosting the GPA’s annual conference, held 
digitally in October 2020 in recognition of the restrictions brought by COVID-19. 
More than 100 members and observers joined together to consider key data 
protection challenges, and to look to continued cooperation. There were 
important steps made towards improving the Assembly’s engagement with 
organisations outside of the regulatory community, as well as a commitment to 
continue work to support regulators to maintain privacy principles through the 
pandemic. 


The ICO’s contribution to the GPA, from raising standards globally to 
encouraging greater cooperation around enforcement, is important work that 
has a real impact domestically. The exchange of views and expertise with other 
regulators around the unprecedented challenges of COVID-19 helped to shape 
and share our views on contact tracing apps and effective approaches to 
engagement with government in the face of the health emergency, including 
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around international vaccine passports. More broadly, the ICO’s input helped to 
shape GPA resolutions on facial recognition technology and accountability in 
artificial intelligence, both of which impact discussions on future use of these 
technologies both domestically and internationally. 


OECD Data Governance & Privacy Working Party 


The Deputy Commissioner for Regulatory Strategy continues as Chair of the 
OECD Data Governance & Privacy Working Party. 


The OECD’s privacy guidelines represent a model for how high data protection 
standards can converge and promote interoperability. Over the past twelve 
months, the ICO has contributed to a review of the guidelines to ensure they are 
still relevant and focused on key data protection areas. The working party is also 
assisting the Committee of Digital Economy Policy with its work on the critical 
area of government access to personal data. This seeks to address concerns 
about practices that fail to preserve trust in data flows and will play a key role in 
setting a clearer set of international principles and building trust in data flows. 


The last year has also seen considerable progress on a revised recommendation 
on children in the digital environment, which is expected to be formally approved 
in the middle of 2021. Importantly, the recommendation reinforces key 
principles of the ICO’s Children’s Code and will be a further step towards 
establishing it as a global standard. 


Advocating for high standards 


The Commissioner continues to play a prominent role in demonstrating the UK’s 
commitment to maintaining high data protection standards, while supporting 
others to achieve the same. 


In June 2020, the Commissioner appeared before the OECD’s Competition 
Committee, outlining the increasing overlap between data protection work and 
economic regulation. 


In January, the ICO supported the Council of Europe in its celebration of the 40% 
anniversary of Convention 108. The UK was a founding signee to the convention, 
which commits members to a set of baseline standards to protect citizens’ rights. 


The Commissioner also spoke at events with the International Committee of the 
Red Cross and the World Bank, where she pointed to the role that international 
organisations can play in driving high privacy standards around the world. 


International regulatory action 


Through our Global Privacy Assembly role, the ICO has led efforts to accelerate 
cooperation on international enforcement on live cases. This has enabled us to 
build our network with other global regulators where cross-border use of data 
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impacts UK citizens. These relationships are helping us to improve multinational 
companies’ handling of data, reduce risks to UK citizens and build trust in the 
global data economy. Recent examples include a joint investigation into facial 
recognition company Clearview AI between the ICO and the Office of the 
Australian Information Commissioner, and international agreement on what 
privacy requirements are expected of video teleconferencing companies. 


Section 4: Our regulatory action 


The ICO is an independent and proportionate regulator. We work with 
organisations to make changes and improvements to comply with the law, and 
we know this can help them gain a competitive advantage in a thriving economy, 
as well as reducing mistakes and misuse of people’s data. Working alongside 
organisations is also central to maintaining the availability of ‘everyday FOI’ that 
is such an important part of democracy. 


Throughout 2020/21, we continued to review our regulatory approach, setting 
out in detail our clear and pragmatic approach to regulation, and pointing 
organisations to the support we offer. 


Our formal regulatory action was focused on areas where there had been the 
most significant impact on individuals through poor data protection practices. 
Here, we operated confidently, predictably and consistently to enforce the law, 
guided by our Strategic Threat Assessment process, which enables us to identify 
where risk, impact or harm is highest and to allocate resources accordingly. 


GDPR fines 
In 2020/21 we issued 3 fines, totalling £39.65m. 


In October 2020, we fined British Airways £20 million for failing to protect the 
personal and financial details of more than 400,000 of its customers. An ICO 
investigation found the airline was processing a significant amount of personal 
data without appropriate security measures in place and did not detect a cyber- 
attack in 2018 for more than two months. 


Later the same month, we fined Marriott International Inc. £18.4 million for 
failing to keep millions of customers’ personal data secure. An estimated 339 
million guest records worldwide were affected following a cyber attack in 2014 
on Starwood Hotels and Resorts Worldwide Inc. The ICO found that the company 
had failed to put appropriate measures in place to protect the personal data and 
did not detect the attack for four years. 


In November 2020, we fined Ticketmaster UK Limited £1.25 million for failing to 
keep customers’ personal data secure. The company failed to put appropriate 
security measures in place to prevent a cyber-attack on a chat bot installed on 
its online payment page. The data breach affected 9.4 million customers across 
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Europe, including 1.5 million in the UK. The ICO investigation found that 60,000 
payment cards had been subjected to known fraud because of the breach. 


As part of the regulatory process in all three cases, the ICO considered 
representations from the companies, and considered the impact of COVID-19 on 
their business before setting a final penalty. 


Credit Reference Agencies 


The ICO acted to prompt improvements to how credit reference agencies handle 
data, in line with our focus on sectors with significant impact on individuals 
through poor data protection practices. 


Our investigation, which utilised our powers to serve assessment notices and 
undertake audits, focused on credit reference agencies’ use of personal data 
around direct marketing. We found significant ‘invisible’ processing was taking 
place, likely affecting millions of adults in the UK. 


Following ICO audit recommendations, Equifax and TransUnion made 
improvements and withdrew some products and services. An enforcement notice 
was issued to Experian to require changes in the way it provides privacy 
information to the significant percentage of the UK population who it held data 
on. This notice is currently subject to an appeal to the First-tier Tribunal 
(Information Rights) by the company. 


Further work around the data broking industry’s use of data continues. 


Mobile phone extraction by police forces 


Another area where the ICO took action to improve how people’s personal data 
was being handled was the use of mobile phone extraction by police forces. 


An ICO investigation into the use of the technique as part of criminal 
investigations in England and Wales found excessive amounts of personal data 
were often being extracted and stored without an appropriate basis in existing 
data protection law. The Commissioner expressed a concern that the approach 
risked dissuading citizens from reporting crime, and victims may be deterred 
from assisting police. 


The ICO published a report recommending measures to be implemented to 
improve compliance with data protection law and regain any lost public 
confidence. The report was well received: the National Police Chiefs’ Council 
subsequently withdrew digital consent forms, and government are also 
considering the wider recommendations within the report. 


Nuisance marketing firms 
The ICO has continued to act against nuisance marketing firms. 
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We know that nuisance calls are an invasion of people’s privacy and can cause 
great distress and worry. Across the year, we have repeatedly taken robust 
action against companies who we found to be ignoring the law, issuing 35 
penalties under the Privacy and Electronic Communications Regulations totalling 
£2.306m. 


In January 2021 alone we issued four fines, to companies we found to have 
made a total of 2.4 million illegal calls. 


Our work does not stop with fines, and where companies fail to pay, we take 
action that can lead to companies being wound up. We can also act against 
people involved in those companies: Twenty-seven directors have so far been 
disqualified for a total of 165.5 years following ICO enforcement action around 
nuisance marketing. 


We are also an active part of the international UCeNet, alongside Ofcom. The 
network coordinates information and intelligence-sharing to combat nuisance 
calls and unsolicited messaging?^. 


Investigation into the adtech industry 


The ICO continues to investigate real time bidding (RTB) in the adtech industry. 
Work was paused in May 2020, as we prioritised activities responding to COVID- 
19, and resumed in January 2021. 


The complex system of real time bidding (RTB) in the adtech industry can use 
people's sensitive personal data to serve adverts and requires people's explicit 
consent, which is not happening right now. Sharing people's data with 
potentially hundreds of companies, without properly assessing and addressing 
the risk of these counterparties, also raises questions around the security and 
retention of this data. 


Since resuming the investigation, we have conducted audits focusing on data 
management platforms, giving us a clearer picture of the state of the industry. 
We will be issuing assessment notices to specific companies in the coming 
months. 


Since resuming the investigations, we issued the first of a series of assessment 
notices, with the remaining assessment notices being issued, and the associated 
audits conducted, over the coming months. 


Data broking plays a large part in RTB and following our data broking 
investigation into offline direct marketing services and enforcement action for 


action-plan-2021.pdf 
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Experian in October 2020, we are reviewing the role of data brokers in this 
adtech eco-system. 


We are also continuing to work with the Competition and Markets Authority 
(CMA) in considering Google’s Privacy Sandbox proposals to phase out support 
for third party cookies on Chrome. 


Transparency regulatory action 


As well as providing advice and support to both public authorities and those 
making Freedom of Information requests, the ICO also resolves complaints 
where requests have been denied. This year we dealt with 4,000 FOI complaints, 
and issued 1,029 Decision Notices to public authorities requiring the release of 
information. The ICO can also issue practice recommendations, where we 
consider a public authority has not met expected transparency standards. We 
issued four such notices in the past year, all of which prompted necessary 
compliance steps and positive improvement in performance around timeliness of 
responses, internal reviews and communication with requestors. 


Section 5: Supporting the public sector 


The past year has seen an acceleration in innovation within the public sector, 
from the growth in delivering services digitally to data-driven solutions to 
respond to the pandemic. 


The ICO has a clear focus on supporting organisations to deliver innovation while 
complying with the law and maintaining public trust. Our work encouraging 
transparency and regulating the Freedom of Information Act is central to this. 


Promoting data sharing in the public sector 


As an office, we see regular examples of how sharing data between 
organisations can improve services, not least through the role data sharing 
played in supporting and protecting people during the response to COVID-19. 


The ICO’s advice around data sharing has had a tangible impact, notably when 
we were able to advise public authorities and supermarkets on how to share 
information to support vulnerable people shielding, or through our support of 
health data being shared to support fast, efficient and effective delivery of 
pandemic responses. 


In December 2020, we published our Data Sharing Code of Practice. The code 
reiterated that the law can be an enabler to responsible data sharing, providing 
practical advice to organisations on how to carry out responsible data sharing. 
The code was launched alongside a suite of new resources and provides practical 
advice to organisations on how to carry out responsible data sharing. 


The ICO will continue to provide clarity and advice on this valuable area, and to 
contribute to work to overcome cultural, technical and organisational barriers to 
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data sharing. The Commissioner has been clear that the ICO will be at the 
forefront of a collective effort to address the technical, organisational and 
cultural challenges to data sharing, particularly within the public sector. That 
work includes continued engagement with organisations and a focus on data 
sharing through our regulatory sandbox. 


Supporting the public sector through COVID-19 


As part of our ongoing support of organisations focused on the challenges which 
they faced due to COVID-19, we offered dedicated advice to the public sector. 
This included guidance for community groups and health and social care 
organisations, as well as broader advice for covering employees working from 
home, using their own devices, and organisations collecting customer and visitor 
details for contact tracing. 


The ICO also has a key role to play around innovative responses to the 
pandemic. We want to enable progress that can help society and protect the 
people whose data - and trust - such projects rely on. 


Department for Education audit 


In October 2020, we published the outcome of a compulsory audit of the 
Department for Education (DfE), prompted by complaints from civil society 
groups. The audit found that data protection was not being prioritised and this 
had severely impacted the department's ability to comply with the law. As a 
result of the ICO's action, the DfE have made a significant number of changes 
including the allocation of additional resources and investment to create a single 
Data Protection Office which has established data protection as a core 
departmental function. The DfE has also reviewed the data it is processing and 
deleted all previously held data related to the origin of birth and nationality of 
school children. The ICO are continuing to monitor the DfE's progress against the 
remaining outstanding recommendations. 


Supporting transparency 


The importance of transparency around public authority decision has never felt 
so important, from the everyday FOI decisions that are such an important part 
of democracy to recordkeeping around significant pandemic decisions. 


The past year has also been a period of significant challenge to many public 
authorities, with resources understandably focused on public health priorities, as 
well as the practical impact remote working brings. 


The ICO has looked to be pragmatic and empathetic throughout this period, to 
best support transparency. We set out our regulatory approach clearly in April, 
with updates in July and October, and consistently offered support and advice to 
public authorities and those making FOI requests. 
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That support included the launch of an FOI toolkit, designed to help public 
authorities self-assess performance in responding to requests. The toolkit, which 
continues to be expanded and developed, prompted positive feedback, and is 
already helping authorities to handle requests quicker and more efficiently. 


We continue to support the extension of the Freedom of Information Act to cover 
services outsourced by public authorities, and the Commissioner spoke with MPs 
at the DCMS Select Committee to again make the case for this change to the 
law. The ICO also worked with the National Archives, as part of an ongoing 
review of records management. 


Responses to information access requests by police forces 


Demonstrating accountability and transparency are important aspects of 
modern-day policing, and the ICO has worked with police forces to improve 
performance in this area. 


In November 2020, we published a report into the performance of forces in 
England, Wales and Northern Ireland in responding to information access 
requests within statutory time limits. 


The report detailed areas of good practice that forces could learn from, as well 
as practical recommendations to drive improvements. We also issued three 
police forces with practice recommendations, referenced in our previous 
transparency regulatory action section. 


As a result of our actions we have seen demonstrable improvements in 
compliance from a number of constabularies and continue to engage across the 
sector to build on the foundations laid. 


International Conference of Information Commissioners (ICIC) 


The Information Commissioner continues to chair the ICIC, working with other 
regulators to encourage transparency and share best practice. 


A focal point for the past year was access to information during the pandemic, 
and the ICIC published a widely read statement setting out the need for 
pragmatism while reiterating the value of transparency and good recordkeeping 
throughout an important period in history. 


The ICIC also signed a commitment to strengthen global awareness of access to 
information through partnership with UNESCO. 
Section 6: Delivering the ICO service experience 


In common with organisations across the country, a key focus for the ICO this 
year was continuing to provide our services through the pandemic. The ICO 
closed its offices in March 2020 in line with national guidelines, and only a 
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handful of staff were able to return to our offices over the following twelve 
months. 


Demand for our services remained high across the year. 


Privacy continues to be a mainstream concern, as evidenced by the considerable 
number of data protection complaints received by the ICO this year. We received 
36,607 new complaints during 2020/21, only a slight decrease from the 38,514 
we saw in 2019/20, and more than in 2018/19. 


The pandemic reduced the number of Freedom of Information complaint cases 
we received in the early part of the year, but we saw a gradual return to usual 
levels of intake as the year progressed. Overall, we received 4,853 cases, 
compared to 6,367 in 2020/21. 


The volume of enquiries through our helpline, live chat and email remained high, 
though at a reduced level compared to 2019/20. 


Our performance in responding to that workload, is testament to the contingency 
planning we had in place prior to the pandemic, the expertise of our IT and 
technical support and most of all, the commitment and passion of our staff. 


More information on the ICO’s response to COVID19 will be found in our report 
to Parliament, expected to be published before the summer. 


Full details of our operational performance follow in this report. Details 
of our focus on the wellbeing of our staff this year can be found in the 
‘Employee involvement and wellbeing’ section, later in this report. 
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Annex: Operational performance 


Data Protection Complaints 


Over the past couple of years, we have reported on the significant increases in 
data protection complaints as the public became more familiar with their 
information rights and the implications and obligations that come with the GDPR. 
This year has seen the level of complaints remain static, given the issues of the 
pandemic and the significant disruption to the work of many data controllers. 
This was particularly apparent during the first national lockdown in quarter 1 of 
2020/21. We expected that resources would be diverted away from work around 
information rights in many areas, but it soon became apparent that after an 
initial period of finding new ways of working, most organisations continued to 
deal with concerns about how personal data was being handled and shared. 
Those that were unhappy with the way that data controllers answered those 
complaints brought concerns to us, in significant numbers. We received 36,607 
new complaints during 2020/21. That is only a slight decrease from the 38,514 
that we saw in 2019/20. 


We were able to close 31,055 complaints, which is slightly less that we would 
have liked. In line with many organisations, we found it challenging to bring in 
the staff that were needed at the start of the first national lockdown and it took 
us a small amount of time to adapt to deliver these services with a fully remote 
workforce. We began the year carrying significant vacancies in our operational 
areas, but we have now addressed that shortfall and are well on track to exceed 
intake with output. That in turn will allow us to deal with cases quicker. Although 
we have been able to deal with around 84% of cases within six months of 
receipt, we expect to improve that significantly as we move into 2021/22. We 
have also been able to move all our casework into our new casework 
management system, which we also expect to provide efficiencies as we develop 
its functionality in the coming year. 


DP complaint casework received 


2020/21 36,607 
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DP complaint casework finished 


2020/21 


2019/20 


2018/19 


Caseload 


31/03/2021 12,072 
31/03/2019 9,503 


Note: In our casework system, cases can move between caseload classifications. 


Therefore, the figure calculated by taking the caseload as at 31 March 2020, 
adding cases received during 2020/21 and subtracting cases closed during 
2020/21 does not add up to the caseload as at 31 March 2021. 


Age distribution of caseload 


5660 
6000 5392 


5000 4686 
3295 
2381 
807 643 596 
78 174 5 84 140 
— 
0-30 days 31-90 days 91-180 days 181-365 days 366+ days 


™31/03/2019 m 31/03/2020 31/03/2021 
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Age distribution of finished casework 


84% 
2020/21 
98.7% 
2019/20 74% 
99.5% 
2018/19 81% 
26% 
m 180 days or less m90 days or less € 30 days or less 
Age distribution of finished casework 
401 
4658 
2020/21 18820 
501 
2019/20 9879 
18675 
10775 
22 
161 
2018/19 6392 
19116 


8993 


366+ days 181-365 days m91-180 days m31-90 days m0-30 days 
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Sectors generating most complaints 


General business 
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ES 


Local Government 
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ES 


Health 


Internet 
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Policing and criminal records 


Central Government 


Retail : 


6% 
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Sectors generating most complaints 2020/21 


Finance, insurance and credit 
General business 

Online Technology and Telecoms 
Health 

Land or property services 
Local government 
Transport and leisure 
Retail and manufacture 
Central Government 
Justice 

Education and childcare 
Legal 

Utilities 

Charitable and voluntary 
Membership association 
Media 

Political 

Regulators 

Social care 

Marketing 

Religious 

Other 


Hd 

A 

Ww 

o 
Hd 
O 
N 
Ww 


A 
N 


2888 
N 
Ul 
co 


N 
co 
w 


N 
A 
A^ 


m 2020/21 


3317 


3943 


4847 
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Reasons generating most complaints 


: 46% 
Subject access 


. 13% 
Disclosure of data 


Right to prevent 8% 


9% 


o 
Inaccurate data =a 
7% 
Obtaining data [73 
4% 


Fair processing info not 3% 


provided [res] 3% 


Use of data 
| Ee 


Retention of data 
Bix 


Excessive/Irrelevant data 
Bix 


2019/20 m2018/19 


Freedom of Information complaints 


This year we received 4,853 Freedom of information complaint cases, compared 
to 6,367 in 2019/20. 


The wider, national conditions surrounding the pandemic clearly suppressed the 
overall volume of cases received through the year, however, we have seen a 
gradual return to usual levels of intake as the year has progressed. The rise in 
the active caseload through the year reflects the migration of our casework to a 
new system, from which these figures are generated, and was completed in Q3. 
We have managed this caseload reasonably well, closing exactly 4,000 cases 
during the year. There has been some build-up of the caseload, which we will be 
working to address over the course of the 2021/22 financial year. 


All our casework function was successfully transferred to a homeworking 
environment from the outset of the lockdown restrictions; however, these same 
arrangements have influenced the way in which some public authorities have 
been able to deal with our enquiries. The very nature of the information sought 
has meant that the lack of physical access to documents and storage facilities 
has impacted on the average age of our cases. There will be a focus on these 
matters as lockdown restrictions are lifted to be able to progress the oldest 
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cases as soon as possible, nonetheless, there is an obvious effect on both those 
cases over 12 months old as well as the age profile generally. It is anticipated 
that this will be rectified in the medium term. 


Cases awaiting further information are those that require additional 
documentation from the complainant before the case can be considered eligible. 
The figures do contribute to the Active Caseload total, as the case will be 
progressed should the required detail be provided, however, if no response is 
received after thirty days, these cases are closed. 


We issued 1,062 statutory decision notices this year. Each party to a decision 
notice has the right to appeal the decision to the First-tier Tribunal (Information 
Rights). The number of decision notices being appealed has remained static at 
22% in both 2019/20 (311) and 2020/2021 (236). 83% of appeals were 
successfully defended during 2020/21. 


FOI complaints 


Received 


2020/21 


2019/20 


2018/19 


Finished 
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Caseload 


Age distribution of caseload % 


35% 


30% 
25% 
20% 
15% - 
10% - 
5% 
0% — 


0-30 days 31-90 days 91-180 days 181-365 days 366+ days 


m31/03/2019 31/03/2020 © 31/03/2021 


44 


Annual report 2020/21 | Performance report 


Age distribution of finished casework % 


96% 
0, 
31/03/2021 dd 
42% 
8% 
99% 
% 
31/03/2020 86% 
71% 
61% 
99% 
% 
31/03/2019 one 
72% 
62% 
365 days or less m180daysorless  m90daysorless m30 days or less 
Age distribution of finished casework % 
99% 
31/03/2021 71.72% 
61.62% 
99% 
BE Imm _ 
99% 
31/03/2019 72% 
62% 
365 days or less m 90 days or less m 30 days or less 
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Age distribution of finished casework 


316 
1361 
2020/21 1257 
890 
176 
3908 
644 
2019/20 NN 9:64 
65 

3911 


607 


2018/19 911 


770 


0-30 days 31-90 days m91-180 days m181-365 days ™366+ days 


Outcomes 2020/21 


No Further Action - no action 44.4% 


Decision notice served 6% 


Action taken - Informally resolved 


No Further Action - Informally resolved 


No Further Action - Not info rights 


Informal action taken - Informally resolved 0.8% 
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Outcome of a complaint casework where a decision notice is 
served 


EMEN ~- 
Total served 1446 
Upheld 462 
Not upheld 697 
Partially upheld 287 


m 2020/21 2019/20 m2018/19 


Sectors generating most complaints 


47% 
Local government 
42% 


17% 
18% 
16% 
14% 
12% 
11% 


Central government 


Police & criminal justice 


Health 


6% 
6% 


Education 


1% 


Private companies 
1% 


2019/20 m2018/19 
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Sectors generating most complaints 2020/21 


Local government 
Central Government 
Health 

Justice 

Education and childcare 
Regulators 

Transport and leisure 
General business 


Land or property services 


Charitable and voluntary 


FOI appeals 


Received 


2018/19 


2019/20 


2020/21 


Finished 
2018/19 230 
2019/20 198 
2020/21 185 
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Caseload 
1st Tier 
tribunal 278 
224 
Upper 
tribunal 
2 
Court of 4 
appeal 
1 
0 
European 0 
court 
1 
0 
High court 0 
3 


m 31/03/2021 2m31/03/2020 31/03/2019 


Outcomes of appeals finished 2020/21 


Dismissed 


Allowed 


Withdrawn 


Struck out 


Part Allowed (incl. Consent Order) 


No right of appeal / appeal refused l 2% 


Advice services 


Although the pandemic influenced our live services and the colleagues who run 


them, we successfully operated all our services remotely throughout the various 


stages of social restrictions, providing advice to organisations, and help and 


support to the public. 


As part of our COVID-19 response, we introduced a phone line specifically to 


help organisations adapt the way they work during the pandemic, to ensure that 
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data protection was not seen as an unnecessary barrier to achieving what they 
needed to for their customers, service users and staff. 


Whilst we saw a marked reduction in the amount of customers (organisations 
and members of the public) who asked us directly for information rights advice 
by email, phone or live chat, which we believe was related to the pandemic; we 
did receive 319,377 calls to our helplines and despite the challenges faced in 
terms of homeworking and (home-schooling for some), we answered 92% of all 
calls into the office, with our average speed of answer 77 seconds. We also 
answered over 75,000 requests for live chat and over 11,000 requests for 
written advice. 


Calls to the helpline 


TE 319,377 
292,448 
Ji 395,197 
340,350 
2018/19 411,656 
266,889 
m Calls received Calls answered 
Call answer rates - Average wait time (seconds) 
2020/21 
2019/20 
2018/19 391 
Call answer rates - Percentage answered 
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Live Chat 


2020/21 


2019/20 


33,183 


2018/19 
34,447 


mChats answered | m Chats requested 


Chat answer rates - Percentage answered 


2020/21 


2019/20 


2018/19 


Chat answer rates - Average wait time (seconds) 


2019/20 118 


l: 


2018/19 


Written advice - Received 


2020/21 


2019/20 


2018/19 
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Written advice - Finished 


2020/21 


2019/20 


2018/19 


Written advice - Caseload 


31/03/2021 680 
31/03/2020 131 
31/03/2019 123 


Age distribution of finished advice work 


2020/21 


2019/20 


2018/19 42% 
37% 


m 30 days or less m14 days or less m7 days or less 
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Helpline calls 2020/21 
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20,000 
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mReceived mAnswered 
Size of Public Register 2020/21 
900,000 
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e ES Č « 
Public Register as at year end 
31 March 2021 875,762 
31 March 2020 738,769 
31 March 2019 599,567 


Personal data breach reports 


We've received fewer personal data breach reports this year due to the 
pandemic. There has been a continuation of a trend we've seen since the 
introduction of mandatory breach reporting, of PDB reports from sectors that 
handle large volumes of personal data. In some sectors, there is a strong 
correlation between the volume of reports received, the sensitivity of the data 
and awareness of reporting thresholds. Reporting can be higher where there are 
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dedicated DPOs and well-developed breach reporting processes. In most of the 
cases we assessed, we determined that the organisation had measures in place 
or was taking steps to address the breach without further action being required 
by the ICO. Where appropriate, we offer advice and recommendations to help 
the data controller to improve their information rights practices and prevent a 
recurrence of a similar breach. 
Personal Data Breaches - Received 
2020/21 
2019/20 
2018/19 
Personal Data Breaches - Outcomes 
No Further Action - Breach recorded - regulatory... 71.4% 


Investigation Pursued 

Informal action taken -Breach recorded -... 
No Further Action -Not PDB 

No Further Action - Unassigned 

No Further Action -No action 


Action taken -Administrative - lower tier fine 
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Health 

Education and childcare 
Retail and manufacture 
Finance, insurance and credit 
Local government 

Legal 

Charitable and voluntary 
Land or property services 
General business 

Online Technology and Telecoms 
Central Government 

Social care 

Transport and leisure 

Justice 

Membership association 
Utilities 


PECR concerns 


Sectors generating most PDB 


| 
8 
e 


w 
8 
e 


2.4% 
2.3% 


PECR Concerns - Concerns reported 


2020/21 


2019/20 


123,569 


127,940 


13.6% 


16.8% 


138,368 


PECR Concerns - Cookie concerns reported 
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Nature of telesales and SPAM texts reported 


60,004 
Telesales call where I heard a recorded voice 51,964 
64,798 
46,343 
Telesales call where I spoke to a person 50,647 
57,502 
17,222 
SPAM texts 14,343 


14,665 


m2020/21 m2019/20 2018/19 


Information Access 


There have been significant increases in information requests to the ICO over 
the last couple of years as the public have become more familiar with GDPR, 
their information access rights, and with the raised profile of the ICO. Between 
2017/18 and 2020/21 there was a 39% increase in Information Access requests 
received by the ICO with 2,099 total requests received for 2020/21 compared to 
1,509 in 2017/18. In the first quarter of 2020/21 as the pandemic struck, the 
requests fell slightly but since then demand has continued to rise to near 
previous demand levels during 2019/20 which saw 2,747 requests. 


Despite the difficulties brought about as we faced our new ways of working from 
home and with a number of the Information Access team juggling home- 
schooling and other caring responsibilities during the pandemic, over the year 
we have completed around 85% of information access requests within required 
timescales. Overall, 54% of the requests we received are Freedom of 
Information requests and 37% are requests under the data protection 
legislation, with around 10% of requests being complex hybrid of legislation 
requests. Whilst demand for information request reviews increased through the 
year, only 4% of the requests we dealt with led to internal review, on par with 
2019/20. Of these reviews, only 7% were fully upheld. 


Information Access - Requests received 


2020/21 


2019/20 


2018/19 
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Information Access - Requests completed 


2020/21 


2019/20 


2018/19 


DPA 


FOIA 


Hybrid 


EIR 


m2020/21 m2019/20 . 2018/19 


Response times - Time for compliance 


2020/21 85% 


2018/19 94% 
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Response times - Average time (days) 
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2020/21 29 
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Internal reviews - Reviews completed 


2020/21 


2019/20 


2018/19 


Internal reviews - Response times 


2020/21 
2019/20 


2018/19 


m Completed in 20 days m Average days 


Internal reviews - Review outcomes 


2020/21 


2019/20 


2018/19 


mNot upheld Partially upheld mUpheld 
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Financial performance summary 


Grant-in-aid 


Freedom of information expenditure continued to be funded by grant-in-aid. In 
addition, our work on Network and Information Systems (NIS), the Investigatory 
Powers Act (IPA) and the Electronic Identification and Trust Services Regulations 
(eIDAS) was funded by grant-in-aid. The total grant-in-aid available for 2020/21 
was £6.2m (2019/20: £6.3m). 


No grant-in-aid was carried forward in 2020/21 (2019/20: nil). 


Fees 


Under the DPA 2018, data protection related work continues to be financed by 
fees collected from data controllers. The annual fee structure is: 


e £40 for charities or organisations with no more than 10 members of staff 
or a maximum turnover of £632,000; 


e £60 for organisations with no more than 250 members of staff or a 
maximum turnover of £36m; and 


e £2,900 for all other organisations. 
A £5 discount was available for all fees which were paid by direct debit. 


Fees collected in the year totalled £53.205m (2019/20: £48.712m), a 9% 
increase on the previous year. As of 31 March 2021, 875,762 data controllers 
were registered to pay the data protection fee, an increase of 136,993 (18.5%) 
from 31 March 2020 (738,769). 


The ICO has a strategic objective to ensure that all those required to pay a data 
protection fee are able to do so, ensuring that the cost of funding the work of 
the ICO is distributed fairly and proportionately amongst those with a legal 
obligation to pay a fee as required by Parliament. 


To achieve this, we have undertaken an ongoing programme of work to contact 
organisations not currently paying a data protection fee to make them aware of 
the requirements of the Data Protection Act. While this work was paused in the 
first half of 2020/21 as a result of the COVID-19 pandemic, it recommenced in 
late 2020, resulting in a significant increase in fees paid in the last quarter of the 
year. 


In addition, the total comprehensive expenditure for the year was significantly 
lower than the prior year: £3.019m in 2020/21, compared to £5.046m in 
2019/20. Due to the level of economic uncertainty of the first half of 2020/21 
resulting from the pandemic, the forecast level of expenditure was reviewed and 
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reduced. In addition to our usual prudent approach, this year we also considered 
whether the impact of the COVID-19 pandemic was likely to compromise our 
ability to deliver our statutory responsibilities when approving new spend and 
projects. As a result, some areas of spend were deferred to 2021/22. 


The result of the higher than anticipated fee income in the last quarter and the 
reduction in expenditure as set out in note 2 of the Financial Statements. We 
anticipate continuing to contact organisations to make them aware of the 
potential requirement to pay a data protection fee in 2021/22 and will be 
undertaking the projects which we deferred from 2020/21, to ensure the ICO 
continues to enhance its services for its stakeholders. We will also continue to 
work with DCMS to keep the level of the data protection fee under review. 


Financial instruments 


Details of our approach and exposure to financial risk are set out in note 9 to the 
financial statements. 


Civil Monetary Penalties 


The Information Commissioner can impose civil monetary penalties (CMPs) for 
serious breaches of the DPA of up to 4% of global turnover. For breaches of 
PECR, penalties of up to £500k can be imposed. A penalty can be reduced by 
20% if it is paid within 30 days of being issued. The CMPs collected by the 
Information Commissioner are paid over to the Government’s Consolidated 
Fund. 


CMPs are subject to a right of appeal to the First-tier Tribunal, either against the 
imposition of the monetary penalty and/or the amount of the penalty specified in 
the CMP notice. If CMPs are subject to appeal they are not recognised until the 
appeal process is finalised and the CMP is upheld. The amounts recognised are 
regularly reviewed and subsequently adjusted in the event that a CMP is varied, 
cancelled, impaired or written off as irrecoverable. Amounts are written off as 
irrecoverable only on the receipt of legal advice. 


The costs of any legal fees incurred in the imposition and recovery of the CMPs 
are currently fully borne by the ICO. These amounted to £155k in 2020/21 and 
£573k in 2019/20. The ICO has proposed that legal fees incurred in the 
imposition and recovery of a CMP are recovered from CMP income. This would 
ensure that litigation costs are not funded by fee-paying organisations and this 
cost recovery model is in practice at other UK regulators. If approved this will be 
implemented in future financial years. 


During 2020/21 the ICO imposed in total £41.959m in CMPs. There is a further, 
£2.990m which is still under appeal and accordingly is not recognised. Within the 
total CMPs imposed, £20m relates to a penalty under DPA for British Airways and 
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£18.4m for a penalty under DPA for Marriott Hotels. Both of these CMPs have 
agreed payment plans, which are being paid in equal annual instalments. 
At the year end the CMPs still to be collected by the ICO and subsequently paid 
to the consolidated fund is £28.667m. The table below provides a summary of 
the position in relation to CMPs. 
£m 
CMPs due at year end 31 March 2020 2.456 
CMPs imposed during 2020/21 41.959 
Discounts due to early settlement (0.239) 
CMPs collected in 2020/21 and paid to the Government's (6.977) 
Consolidated fund within year 
CMPs collected in 2020/21 and due to be paid to the (5.304) 
Government's Consolidated fund after the year end 
CMPs written off/impaired during 2020/21 (3.742) 
CMPs yet to be collected at year end 28.667 
CMPs at year end on agreed payment plan 27,370 
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Sustainability 


Overall strategy 


Our carbon footprint is generated primarily from heating and lighting ICO 
accommodation, powering our IT infrastructure and from business travel. We 
make as full a use of technology as possible to reduce electricity and gas 
consumption; for example, by purchasing low energy use IT, fitting new more 
efficient boilers and installing motion detecting lights. We have also moved our 
electricity onto a 100% renewable tariff for the majority of our estate. 


During 2020/21 Covid 19 had a significant impact on the way of working for the 
ICO with staff working from home for the majority of the year. There were short 
periods when offices were open to a small number of staff undertaking essential 
tasks. 


We therefore made use of appropriate and effective technology to allow staff to 
continue to fully undertake their roles while not travelling and not being in the 
office. We also made full use of appropriate communication tools to ensure we 
could continue to engage with stakeholders through relevant channels. As a 
growing organisation there are always increasing demands to engage with 
external stakeholders both domestically and internationally. In previous years 
this would have led to continued business travel demands, but due to Covid 19 
restrictions we have communicate electronically instead of travel for face-to-face 
meetings. As an organisation the ICO will take the lessons learnt during the 
pandemic and review the need for all future domestic and international travel 
and whether there are suitable alternative ways to fulfil these commitments 
using technology. 


Performance 


Throughout 2020/21 the ICO, along with all organisations within the UK, was 
working within the parameters laid down by Government and the necessary 
restrictions due to Covid 19. This meant all ICO staff worked from home apart 
from periods when the offices could be open for essential tasks only for a small 
number of individuals. 


Due to travel restrictions we made use of technology to communicate with 
stakeholders instead of face-to-face meetings. This had a material impact on the 
carbon emissions associated with both domestic and international travel. 


Through having our offices closed for the majority of the year we significantly 
reduced our CO2 emissions. This was combined with the move to an electricity 
tariff that uses 100% renewable electricity for the majority of the estate. We 
also consequently reduced the production of waste, use of water and paper. 
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Even though we did not fully occupy the estate we still needed to heat the 
buildings for the full year. As the estate was larger than previous years and 
unoccupied there was a greater call on gas to ensure the empty buildings were 
kept at an appropriate temperature. 

Biodiversity action planning 

The ICO is not responsible for any outside space and therefore does not have a 
biodiversity plan. 

Sustainable procurement 

We ask those tendering for contracts to provide their sustainability statements 
and policies as standard in most procurement exercises. 

Greenhouse gas emissions 


Please note: the figures in the tables below do not include any emissions or 
waste from employees working from home. 


Total tonnes CO; 
2017/18 2018/19 2019/20 2020/21 
Scope 1 (gas) 6 36 17 44 
Scope 2 (electricity) 172 160 275 29 
Scope 3 (travel) 127 202 182 1 
Total emissions 306* 398 474 74 


*Not a direct sum due to rounding. 


Tonnes CO: per full time equivalent staffing 


2017/18 2018/19 2019/20 2020/21 
Scope 1 (gas) 0.01 0.06 0.02 0.06 


Scope 2 (electricity) 0.33 0.26 0.37 0.04 
Scope 3 (travel) 0.25 0.33 0.24 0.00 


Total 0.59 0.66* 0.63 0.10 


*Not a direct sum due to rounding. 
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Waste minimisation and management and finite resource 


consumption 


Total waste, water and paper consumption 


2017/18 
Waste / tonnes 37 
Water consumption / m3 5,963 
A4 paper / reams 4,300 


2018/19 
35 

3,983 
4,280 


2019/20 
36 
3,182 
4,544 


2020/21 


Waste, water and paper consumption per full time equivalent 


staffing 
2017/18 
Waste / tonnes 0.07 
Water consumption / m? 11:61 
A4 paper / reams 8.37 


Details of ICO performance 


Total travel 

2017/18 
Cars 
Kms 40,216 
Cost £ 11,023 
Tonnes CO2 8 
Rail 
Kms 820,202 
Cost £ 259,483 
Tonnes CO2 37 


2018/19 
0.06 
6.57 
7.06 


2018/19 


57,336 
14,699 
11 


1,120,361 
404,552 


51 


2019/20 
0.05 
4.23 
6.03 


2019/20 


43,656 
11,506 
8 


1,133,971 
341,668 
51 


2020/21 
0.004 
0.72 
0.25 


2020/21 


1,761 
486 
0.3 


8,190 
2,612 
0.2 
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Flights 
Number 
Kms 
Cost £ 


Tonnes CO; 


Travel summary 


Cost £ 


Tonnes CO2 


515 
523,413 
103,127 

82 


373,033 
127 


1,060 
889,325 
202,847 

140 


622,098 
202 


Travel per full time equivalent staffing 


Cars 
Kms 
Cost £ 


Tonnes CO2 


Rail 
Kms 
Cost £ 


Tonnes CO2 


Flights 
Number 
Kms 
Cost £ 


Tonnes CO2 


2017/18 


78,27 
21.45 


0.01 


1,996 
505.03 
0.07 


1.00 
1,018.71 
200.71 
0.16 


2018/19 


94.61 
24.26 


0.02 


1,848 
667.58 
0.08 


1.75 
1,467.53 
334.73 
0.23 


734 
781,541 
151,422 

123 


504,596 
182 


2019/20 


57.98 
15.28 
0.01 


1,505.94 
453.74 


0.07 


0.97 
1,037:90 
201.09 
0.16 


olol oljļjo 


3097 
0.5 


2020/21 


2237 
0.65 
0.00 


11.02 
3:52 
0.00 


oO; oOo; oOo] o 
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Travel summary 
Cost £ 727.20 1,026.56 
Tonnes CO? 0.25 0.33 


*Not a direct sum of tables above due to rounding. 


Total utilities 


2017/18 2018/19 


Gas 

Kwh 34,514 195,575 
Cost £ 1,549 6,281 
Tonnes CO2 6 36 
Electricity 

Kwh 343,910 319,151 
Cost £ 65,122 51,995 
Tonnes CO2 172 160 


Utility summary 
Cost £ 66,671 58,276 
Tonnes CO2 178 196 


Utilities per full time equivalent staffing 


2017/18 2018/19 


Gas 

Kwh 67.17 3242.73 
Cost £ 3.01 10.36 
Tonnes CO2 0.01 0.06 


670.11 
0.24 


2019/20 


94,989 
4,151 
17 


551,804 
95,410 


275 


99,561 
292 


2019/20 


126.15 
3,91 
0.02 


4.17 


0.00 


2020/21 


244,507 
8,578 
44 


413,340 
78,333 
29 


86,912 
73 


2020/21 


329.10 


11.54 
0.06 
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Electricity 
Kwh 
Cost £ 


Tonnes CO2 


Utility summary 
Cost £ 


Tonnes CO; 


669 
126.75 


0.33 


129.76 
0.35 


527 
85.80 
0.26 


96.17 
0.32 


732,81 
126.71 


0.37 


132.22 
0.39 


556.31 
105.43 
0.04 


116.97 
0.10 
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Whistleblowing disclosures 


The ICO is a ‘prescribed person’ under the Public Interest Disclosure Act 1998, 
meaning that whistleblowers are provided with protection when disclosing 
certain information to us. 


The Prescribed Persons (Reports on Disclosures of Information) Regulations 
2017 require prescribed persons to report annually on whistleblowing disclosures 
made to them. 


The number of whistleblowing disclosures made to us in respect of external 
bodies during the period 1 April 2020 to 31 March 2021 was 309. All information 
provided was recorded and used to develop our overall intelligence picture, in 
line with our Information Rights Strategic Plan 2017-2021. 


Further action was taken on 69 of these disclosures. This may result in referral 
to appropriate departments for further consideration, referral to external 
organisations (including other regulators and law enforcement) or consideration 
for use of our enforcement powers. After review and assessment 240 of the 309 
disclosures resulted in no further action taken at that time. 


During the period 1 April 2020 to 31 March 2021 further action on the 69 
disclosures resulted in 82 referrals to various departments overall; 11 
disclosures resulted in referrals to two departments; one disclosure resulted in 
referral to three departments. 


The outcomes of these referrals: 


e 44 disclosures were taken into consideration for the investigations. 


e 13 disclosures were referred to Advice Services and the Personal Data 
Breach Team including providing advice to the whistleblower and where it 
would be more appropriate for the matter to be raised as a complaint. 

e five disclosures were considered for non-payment of the data protection 
fee. 


e three disclosures were referred to other departments for various actions. 
e 16 disclosures were considered for tactical and strategic assessment. 
e one disclosure was referred to an external agency. 


After receipt of a concern, we will decide how to respond in line with our 
Regulatory Action Policy. In all cases, we will look at the information provided by 
whistleblowers alongside other relevant information we hold. For example, if an 
organisation reports a breach to us, we may use information provided by a 
whistleblower to focus our follow-up enquiries. More broadly, we may use 
information from whistleblowers to focus our liaison and policy development 
within a sector, using the information to identify a particular risk or concern. 
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Going concern 


The accounts are prepared on a going concern basis as a non-trading entity 
continuing to provide statutory public sector services. 


Grant in aid has already been included in the DCMS's estimate for 2021/22 and 
the DPA 2018 allows the ICO to fund data protection related work through fees 
paid by data controllers. The DPA 2018 is UK law and continues to be apply 
following the UK's exit from the EU. 


There is no reason to believe that future sponsorship and parliamentary approval 
will not be forthcoming. 


The ICO has budgeted income of £69m for the year 2021/22. Considering the 
impact of COVID-19 on the UK economy, we have reviewed the mechanism by 
which the ICO is funded and assessed what the impact on our funding might be. 
The budget set has considered the risks over potential fee income and has set a 
budget based on prudent assumptions. The ICO continues to review the budget 
and risks within it with DCMS. It is therefore appropriate to adopt a going 
concern basis for the preparation of these financial statements. 


ae 


Elizabeth Denham 
22 June 2021 
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Directors’ report 


Directorships and other significant interests held by Board 
members that may conflict with their management 
responsibilities 


Membership of the ICO’s Management Board, along with further information, is 
detailed in the Governance statement. 


A register of interests is maintained for the Information Commissioner and her 
Management Board. It is published on our website at ico.org.uk. Declarations of 
interest in any of the items considered at a particular meeting are also asked for 
at Management Board and Audit and Risk Committee meetings. 


Employee involvement and wellbeing 


Employee wellbeing has always been at the heart of the ICO’s people strategy, 
and this has never been more important than the last year as we have faced the 
challenges of the COVID-19 pandemic. Our people strategy has three values: 
ambitious; service-focused; and collaborative. 


We have actively monitored the impact of COVID-19 on our staff health and 
wellbeing and adjusted our approach to support staff throughout the year, 
creating new communications channels for information and engagement. 


Our wellbeing initiatives have included workshops to support managers and 
staff, signposting to sources of support and a dedicated wellbeing site, flexibility 
where needed to support caring responsibilities has been available for all staff, 
providing equipment to work effectively from home and running social activities 
to bring people together. The results of the health and wellbeing surveys we did 
in June 2020 and January 2021 showed the positive impact of our approach to 
supporting employee involvement and wellbeing. 


We have continued to work closely with the recognised trade unions as well as 
with our Equality, Diversity and Inclusion staff networks and the staff forum to 
engage with and listen to our employees. Keeping in touch with all our staff 
through virtual town hall events led by the Executive Team, regular email 
updates from the team leading our pandemic response and departmental/team 
meetings have been key to ensuring staff felt informed about how we were going 
to continue delivering services to our customers and stakeholders. 


As we look forward, we’re engaging with all our colleagues again to identify how 
our ways of working should change post the pandemic so that we can continue 
to be an effective regulator and employer of choice. 


72 


Annual report 2020/21 | Accountability report 


Equal opportunities and diversity 


At the ICO we have four equality, diversity and inclusion objectives defined as 
follows: 


e Spreading knowledge and acting 
We will raise awareness of information rights across the community and 
take action to ensure that organisations fulfil their obligations. We will 
particularly focus on groups and sectors where knowledge gaps may cause 
information rights inequalities or vulnerabilities. We will ensure that our 
actions as a regulator do not create inequalities or unlawfully discriminate. 


e Accessible services 
Our services and information will be accessible for users and potential 
users of our services, and we will provide our staff with the skills and 
knowledge they need to provide high quality services for all. We will try to 
anticipate customer needs and we will take action to remove barriers to 
our services when possible. 

e Encouraging others 
We will use our status as a regulator, advisory body and purchaser of 
services to influence improvements in equality by other organisations and 
across society. 

e Employer 
Our workplaces and practices will be accessible, flexible, fair and inclusive. 
We will value the diversity, skills, backgrounds and experience of our 
people, enabling them to perform to their best in a welcoming and 
supportive environment. 


These objectives aim to ensure that the ICO is an inclusive, accessible and 
diverse regulator, service provider and employer. This will help all members of 
society to have awareness of, and access to, their information rights and receive 
appropriate protection if their rights are infringed. 


Our Equality, Diversity and Inclusion (EDI) Board oversees our efforts to provide 
an increasingly accessible service for our customers and workplace for our staff. 


Alongside the EDI Board, we have five staff networks: 


e Women and Allies focused on gender equality, this network aims to 
encourage, empower and support women in their careers at the ICO and 
beyond. 

e Healthy minds focused on the importance of good mental health, this 
network aims to raise awareness and challenge the perceived social stigma 
linked to mental and emotional health issues, including stress, depression 
and anxiety. 

e REACH, this abbreviation stands for Race, Ethnicity, and Cultural Heritage, 
with this network focused on raising awareness of issues of race, ethnicity 
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and cultural heritage at the ICO and in the wider community and 
celebrating diversity. 


e Pride focused on supporting LGBTQ+ colleagues, raising awareness and 
celebrating diversity, this network aims to promote a safe, inclusive and 
diverse working environment that encourages respect and equality for all. 

e Network for Access and Inclusion focused on improving the experience 
of disabled staff and customers at the ICO, this network promotes positive 
attitudes towards disabled people and raises awareness of disability 
equality by identifying and removing barriers to inclusion. 


We provide our staff with a work environment and IT systems which help meet a 
range of needs; including accessible offices and IT systems, flexible and part- 
time working (to help work-life balance). This has resulted in all ICO staff 
members being provided with a new device which enables them to work from 
any location in a secure and agile way. This has allowed staff to work in the way 
which best suits them and has been particularly important in our response to the 
COVID-19 pandemic, as it allowed us to smoothly transition to remote working. 


We aim to recruit from a range of backgrounds and take the applicant- 
anonymous approach when assessing candidates for employment. 


The focus of the EDI Board 
During 2020-21, the ICO’s EDI Board has focused on five distinct workstreams: 


e ICO People Policy Review 

e Equality Impact Assessment Process Review 
e Develop an EDI Training plan 

e Improve our diversity data 

e Establish an ICO Corporate Social Identity 


The focus of the Board is one of scrutiny and oversight of this work, with many 
of the EDI Board members chairing and/or attending sub-groups and working 
collaboratively with colleagues from across the office to further this work. 


ICO People Policy Review workstream 


Over the last 12 months, members of the EDI Board and Staff Network groups 
have had the opportunity to comment upon a range of ICO people (staff) related 
corporate policies. This has helped to ensure that the policies are inclusive and 
considers issues which may impact upon people from different protected groups. 


Equality Impact Assessment process review 


The EDI Board reviewed the ICO’s Equality and Impact Assessment (EQIA) 
process to ensure that the process, template and guidance documents were fit 
for purpose, met equality legislation, adhered to the Public Sector Equality Duty 
and mirrored best practice. 
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To ensure that the new EQIA process feels relevant to all ICO staff and to help 
emphasise the importance of measuring and assessing the impact on equality; 
the ICO has rebranded the EQIA process as the People Impact Assessment (PIA) 
process. This mirrors developing best practice approaches across both the public 
and private sectors. 


Develop an EDI Training plan 


The focus for EDI training over the last 12 months has been delivery of our 
existing mandatory Dignity, Diversity & Inclusion workshop (which all ICO new 
starters attend), as well as introduction of new courses for all staff, such as: 


e Mental Health for People Managers. 

e Awareness of mental health and autistic spectrum disorder 
e Interviewing and selection workshops 
e A long way to go for LGBTI equality 

e Festival of Sleep 2021 

e World mental health day 

e World suicide prevention day 

e Menopause for colleagues 

e Menopause for managers 

e Mental Health for everyone 

e Mental Health for managers 


Improving our diversity data 


The EDI Board reviews the demographic information of the ICO's staff on a 
regular basis and has established ambitions for how the ICO’s staffing profile will 
change in the next three years to March 2024. 


The EDI Board did not establish specific ambitions for the age or religion/belief 
demographics for the ICO’s staff, though we wish to ensure that our 
employment practices are as fair and inclusive as possible to ensure that we are 
able to attract and retain people from different characteristics. 


It is worth noting that there has been some movement in the demographics of 
the organisation in the last 12 months with small increases in the percentage of 
ICO staff from an ethnic minority background and staff that declared they are 
disabled. Although there has been progress in that time, our ambitions are 
stretching and there is much further work to be done if we are to achieve them. 
The EDI Board will continue to monitor this data and seek to identify 
opportunities to increase the diversity of our workforce. 


The ICO Corporate Social Identity 


In 2020 the EDI Board commissioned a subgroup of the Board to focus on the 
development of a corporate framework to promote, respond and engage with 
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social and ethical issues, ensuring that the ICO can quickly and appropriately 
respond to social and ethical issues that may impact on staff, customers and 
stakeholders. 


During this year, there has been a strong focus on the language we use across 
the organisation with guidance being issued on the terms ‘whitelisting’ and 
‘blacklisting’. 


The corporate ‘Keeping it simple’ and ‘Writing to influence’ training has also been 
updated with these considerations in mind. 


There has been an increased focus on EDI communications internally, with more 
opportunities to share the work of the networks, raising the profile of the 
networks and engaging people in their activities. 


Personal data incidents 


There have been no substantive security incidents during 2020/21. 


Public sector information holders 


The ICO has complied with the cost allocation and charging requirements set out 
in HM Treasury guidance. 


Pension liabilities 


Details on the treatment of pension liabilities are set out in note 3 to the 
financial statements. 


Annual accounts and audit 


The annual accounts have been prepared in a form directed by the Secretary of 
State with the consent of the Treasury in accordance with paragraph 11(4) of 
Schedule 12 to the DPA 2018. 


Under paragraph 11(3) of Schedule 12 to the DPA 2018 the Comptroller and 
Auditor General was appointed auditor to the Information Commissioner. The 
cost of audit services for this year was £33k (2019/20: £31.5k). No other 
assurance or advisory services were provided. 


So far as the Accounting Officer is aware, the Comptroller and Auditor General is 
aware of all relevant audit information, and the Accounting Officer has taken all 
the steps that she ought to have taken to make herself aware of relevant audit 
information and to establish that the Comptroller and Auditor General is aware of 
that information. 
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Directors’ statement 


The ICO’s leadership team consists of the Commissioner, Executive Directors 
and Non-Executive Directors. Each of these persons at the time this report is 
approved: 


e so far as they are aware there is no relevant audit information of which the 
auditor is unaware; and 


e they have taken all the steps they ought to have taken in their role to 
make themselves aware of any relevant audit information and to establish 
that the auditor is aware of that information. 


Statement of the Information Commissioner’s responsibilities 


Under paragraph 11(4) of Schedule 12 to the DPA 2018 the Secretary of State 
directed the Information Commissioner to prepare for each financial year a 
statement of accounts in the form and on the basis set out in the Accounts 
Direction. The accounts are prepared on an accruals basis and must give a true 
and fair view of the situation of the Information Commissioner's Office at the 
year end and of the income and expenditure, recognised gains and losses and 
cash flows for the financial year. 


In preparing the accounts, the Information Commissioner is required to comply 
with the requirements of the Government Financial Reporting Manual (FReM) 
and to: 


e observe the Accounts Direction issued by the Secretary of State with the 
approval of the Treasury, including the relevant accounting and disclosure 
requirements, and apply suitable accounting policies on a consistent basis; 


e make judgements and estimates on a reasonable basis; 


e state whether applicable accounting standards as set out in the FReM have 
been followed, and disclose and explain any material departures in the 
financial statements; and 


e prepare the financial statements on the going concern basis, unless it is 
inappropriate to presume that the Information Commissioner's Office will 
continue in operation. 


The Principal Accounting Officer of the Department for Culture, Media and Sport 
(DCMS) has designated the Information Commissioner as Accounting Officer for 
her Office. The responsibilities of an Accounting Officer, including responsibility 
for the propriety and regularity of the public finances and for keeping of proper 
records and for safeguarding the Information Commissioner's assets, are set out 
in the Non-Departmental Public Bodies' Accounting Officer Memorandum, issued 
by the Treasury and published in Managing Public Money. 
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As Accounting Officer, the Information Commissioner has delegated executive 
responsibility to the Chief Executive for effective financial stewardship as 
Accountable Officer. This is a contractual responsibility and allows the 
Information Commissioner to have a separate, and not term-limited, 
accountable person charged with stewardship and probity for our use of public 
money. 


The Accounting Officer confirms that, as far as she is aware, the entity’s auditors 
are aware of all relevant audit information, and the Accounting Officer has taken 
all the steps that she ought to have taken to make herself aware of any relevant 
audit information and to establish that the entity’s auditors are aware of that 
information. 


The Accounting Officer confirms that the Annual report and Accounts is fair, 
balanced and understandable and that she takes personal responsibility for the 
Annual report and Accounts and the judgments required for determining that it 
is fair, balanced and understandable. 
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Governance statement 


Introduction 


The Information Commissioner is a corporation sole as established under the 
DPA 1998 and as confirmed under the DPA 2018. As required by the UK GDPR, 
the Information Commissioner and her Office must be completely independent of 
Government. The Information Commissioner is accountable to Parliament for the 
exercise of statutory functions and the independence of the ICO is enshrined in 
legislation. 


Relationship with the DCMS 


The DCMS is the sponsoring department for the ICO. The relationship with the 
department is governed by a Management Agreement. The Management 
Agreement for 2018-2021 was agreed in July 2018. This agreement sets out our 
shared responsibilities and the commitment to ensuring the independence of the 
Information Commissioner and the ICO. The agreement also ensures that 
appropriate reporting arrangements are in place to enable the DCMS to monitor 
the expenditure of public money allocated to the ICO. 


The agreement also confirms that the ICO was granted pay flexibility up to 
2020-21. This ensured that we had the flexibility to determine the levels of pay 
necessary for the ICO to maintain the expertise the office needs to fulfil its 
functions. In 2021/22, the ICO will revert to being subject to standard public 
sector pay policy guidelines. 


Management Board 


The Information Commissioner continues to be a corporation sole, accountable 
to Parliament. The Information Commissioner has delegated collective 
responsibility for the strategic leadership of the organisation to the Management 
Board, comprising Non-Executive and Executive Directors. The Information 
Commissioner is the Chair of the Management Board. 


The Management Board’s Terms of Reference identify five primary areas of focus 
for the Board: the position, culture, capability, reputation and performance of 
the organisation. The Board provides strategic direction to ensure the long-term 
objectives for the organisation are met successfully and sustainably. It operates 
collectively, holding the Executive to account for the day-to-day leadership and 
regulatory outcomes of the ICO. 


The Board is based on majority decision-making principles. As the Information 
Commissioner is a corporation sole, she retains the right to veto a decision of 
the Management Board and take another course of action, where she deems 
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necessary, with any such decisions recorded and documented in the Governance 
Statement of the Annual Report. There were no such instances during 2020/21. 


The Board comprises of Executive and Non-Executive Directors, with non- 
Executive Directors out numbering Executive Directors (there is currently one 
Non-Executive vacancy). 


The Board has agreed to appoint a Senior Independent Director (SID), 
designated by the Commissioner from amongst the Non-Executive Directors. 
Nicola Wood was appointed to this role on 1 June 2020. The SID is responsible 
for chairing Board meetings in the absence of the Information Commissioner and 
for representing the views of the Non-Executive Directors. 


Two senior Executive Directors have been designated by the Commissioner from 
amongst the Executive Directors. One, designated as Deputy Chief Executive 
and Chief Operating Officer, is responsible for the ICO's day-to-day 
administrative leadership and performance, including holding delegated 
Accounting Officer responsibilities as far as possible. Paul Arnold was appointed 
to this role on 9 July 2020. The other, designated as the Chief Regulatory 
Officer, is responsible for the ICO's regulatory decisions and outcomes. James 
Dipple-Johnstone was appointed to this role on 9 July 2020. These arrangements 
allow the Information Commissioner, in addition to overseeing the strategic 
direction for the organisation, to focus on the key domestic and international 
stakeholder relationships of greatest importance to the ICO’s strategic 
objectives. 


The Board meets a minimum of four times annually (six meetings a year are 
scheduled and all of these took place during 2020/21) and considers risk 
management and operational, financial, organisational and corporate issues. It 
also receives reports from the Audit and Risk Committee, Nominations 
Committee and Remuneration Advisory Panel. 


2020/21 has clearly been a vastly different year for the ICO’s Management 
Board, as it was for everyone. While we have been unable to meet as a 
Management Board in person at any point in the year, we have continued to 
build strong collaboration as a Board by embracing technology and have had 
extremely effective Board meetings. We have also taken the opportunity to have 
more regular informal video calls between Board members. This has ensured 
that the Non-Executives have remained up to date on the ICO’s most important 
business. This has allowed the Non-Executives to be effective in their role on the 
ICO's Board, and continue to provide advice and constructive challenge, 
harnessing our experience from a wide variety of organisations for the 
betterment of the ICO. 


In the course of 2020/21, Stephen Bonner joined the Board as Executive 
Director (Regulatory Futures and Innovation) on 8 February 2021. 
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Two further changes are due to take place to the Board during 2021/22. 
Elizabeth Denham’s term as Information Commissioner’s was originally due to 


end in July 2021. Following a request from the Secretary of State for DCMS, 
Elizabeth has agreed to extend her term as Information Commissioner to 31 
October 2021, while the recruitment process for her successor is completed. 


Also, on 31 July 2021, Simon McDougall will leave his role as Deputy 


Commissioner (Executive Director - Technology and Innovation), when his 


contract expires. 


In addition to these changes in membership of the Board, the following 
Executive Team members attend Board meetings. 


e The General Counsel. James Moss was appointed as Acting General 
Counsel on 14 April 2020 and finished in this role on 18 April 2021. 
Claudia Berg was appointed as General Counsel and joined the Executive 
Team on 19 April 2021. 


e The Executive Director (Strategic Change and Transformation). Jen Green 


was appointed to this role and joined the Executive Team on 1 February 


2021. 


The table below details attendance at the Management Board meetings during 


the year. All meetings were held remotely, due to the COVID-19 pandemic. 


Dates 


Elizabeth 
Denham 


Paul Arnold 
Ailsa Beaton 


Stephen 
Bonner 


David Cooke 


James Dipple- 
Johnstone 


Peter Hustinx 
Jane McCall 


Simon 
McDougall 


Nicola Wood 
Steve Wood 


18 May 
2020 


Yes 


Yes 


20 Jul 
2020 


Yes 


Yes 


Audit and Risk Committee 


The Audit and Risk Committee meets quarterly and provides a structured, 
systematic oversight of the ICO's governance, risk management, and internal 


21 Sept 
2020 


Yes 


Yes 


16 Nov 
2020 


Yes 


Yes 


1 Feb 
2021 


Yes 


Yes 


22 Mar 


2021 


Yes 


Yes 
Yes 


Yes 


Yes 


Yes 


Yes 
Yes 


Yes 


Yes 
Yes 
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control practices. This Committee was previously known as the Audit Committee 
but was renamed to Audit and Risk Committee in January 2021 to make clear 
that the Committee has responsibility for oversight of risk management. The 
Committee assists the Board and management team by providing independent 
advice and guidance on the adequacy and effectiveness of the organisation's 
management practices detailed below, including any potential improvements to 
these practices: 


e governance structure; 
e risk management; 
e internal control framework; 


e oversight of the internal audit activity, external auditors, and other 
providers of assurance; and 


e finance statements and public accountability reporting. 


The Committee is chaired by Ailsa Beaton as a Non-Executive Director. Jane 
McCall is the other Non-Executive Director and Roger Barlow is the independent 
member. 


The table below shows attendance of Audit and Risk Committee members at the 
meetings during the year. All meetings were held remotely due to the COVID-19 
pandemic. 


Dates 20 Apr 2020 22 Jun 2020 13 Nov 2020 25 Jan 2021 
Ailsa Beaton Yes Yes Yes Yes 
Roger Barlow Yes Yes Yes Yes 
Jane McCall Yes Yes Yes Yes 


Both external and internal auditors attend the Audit and Risk Committee and 
have pre-meetings with Committee members before each meeting. 


The Audit and Risk Committee publishes its own Annual report. Each annual 
report, including the 2020/21 report, is available on the ICO website 
(ico.org.uk). The report states that the Committee is satisfied with the quality of 
internal and external audit and believes that it can take a measured and diligent 
view of the quality of the systems of reporting and control within the ICO. 


The Chair of the Audit and Risk Committee attends regular meetings of the 
Chairs of the Audit and Risk Committees of DCMS arms-length bodies. These 
meetings include discussions with senior DCMS staff and the Senior NAO staff 
and provide opportunities to share issues of interest. 


The Audit and Risk Committee receives a quarterly report on incidents of fraud, 
security breaches and whistleblowing incidents as assurance that the reporting 
mechanisms are in place and are effective. 
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Executive Team 


The Executive Team provides day-to-day leadership for the ICO and as such is 
responsible for developing and delivering against the Information Rights 
Strategic Plan and Capacity and Capability Plan. At the start of 2020/21, the 
team consisted of the Information Commissioner, Deputy Chief Executive Officer 
and Chief Operating Officer, Chief Regulatory Officer, Deputy Commissioner 
(Regulatory Strategy) and Deputy Commissioner (Executive Director - 
Technology and Innovation). As set out above, in early 2020/21, the Executive 
Team was supplemented by an acting General Counsel. The Executive Director 
(Strategic Change and Transformation) and Executive Director (Regulatory 
Futures and Innovation) joined in February 2021. The permanent General 
Counsel joined in April 2021. The Executive Director (Technology and 
Innovation) will leave the ICO in July 2021. 


A structure chart is provided below to illustrate the Executive Team structure as 
of 31 March 2021. 
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Elizabeth Denham 


Information Commissioner 


James Dipple-Johnstone 


Deputy Commissioner (Chief Regulatory 
Officer) 


Paul Arnold 


Deputy Chief Executive and Chief Operating 
Officer 


Steve Wood 


Deputy Commissioner (Executive 
Director - Regulatory Strategy Service) 


Simon McDougall 


Deputy Commissioner (Executive Director - 
Technology and Innovation) 


Stephen Bonner 
Executive Director - Regulatory Futures and 
Innovation 


Jen Green 
(Executive Director - Strategic Change and 
Transformation) 


James Moss 
Acting General Counsel 


The Executive Team is supported in its role by the Senior Leadership Team. This 


team consists of 15 directors across the organisation. This increased by one 


Director in 2020/21, as we appointed a new Director of Technology and 


Innovation in January 2021. 


Board effectiveness 


The Management Board has considered its compliance with the Corporate 


governance in central government departments: Code of good practice 2017. 
The ICO does not adopt all aspects of the Code, but the Board considers that 


there are good reasons for this given the nature of the organisation as a 


corporation sole. In particular: 


e The Board does not have the powers and duties of a Board in which is 
vested the ultimate authority of the organisation. This is because the 
Information Commissioner is a corporation sole. However, in line with the 
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scale and complexity of the ICO's role and remit, the Commissioner has 
formally delegated responsibility through the ICO's Management 
Agreement with its Government sponsor department (and the Management 
Board Terms of Reference) for the strategic leadership of the ICO to the 
Management Board, of which the Information Commissioner is the Chair. 
The Board operates based on collective decision-making principles and a 
‘majority vote' in circumstances where a consensus view cannot be 
reached. The Commissioner, as a Corporation Sole, will always have the 
right to set a course of action that is contrary to the majority view of the 
Board. There have been no such instances in 2020/21. 


Although the ICO has a Remuneration Advisory Panel to advise the 
Information Commissioner on remuneration policies related to Executive 
Team pay, as a corporation sole, the Information Commissioner retains 
ultimate authority in this area. 


In respect of an operating framework, the Board operates within the 
overall system of corporate governance at the ICO. 


The Board has reviewed the information it receives and is satisfied with its 
quality. The Board is also satisfied that it is, itself, operating effectively. 


Issues and highlights 


The ICO’s corporate governance structure has considered various issues of 
substance during the year. These include: 


progress towards achieving the ICO’s Information Rights Strategic Plan 
2017-2021 and the strategies which directly support this, including the 
Capacity and Capability Plan; 

the ICO’s response to the COVID-19 pandemic, including the ICO’s 
prioritisation and regulatory posture, and staff wellbeing and welfare 
matters; 


the review of the ICO’s Regulatory Action Policy; 


preparation for the UK’s exit from the EU and the period after the UK’s exit 
from the EU; 


the ICO’s involvement in the Digital Regulation Cooperation Forum; 


the establishment of a Nominations Committee to be responsible for 
recruitment to Executive Team and Non-Executive Director roles; 


the duties of the Senior Independent Director; 
risk management policy and risk appetite; 


organisational planning matters, including budgeting, IT service delivery, 
and workforce strategy, during a period of continued expansion; and 


the ICO’s business continuity approach; 
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Risk assessment 


Risks and opportunities are regularly reviewed by senior managers. The 
Management Board and Audit and Risk Committee also consider these highest 
scoring risks and opportunities at each meeting. In addition, during 2020/21, the 
ICO strengthened its risk management framework by establishing a Risk and 
Governance Board, chaired by the Chief Operating Officer. This Board’s role is to 
assist the Information Commissioner and Senior Leadership Team with the 
governance of the organisation and management of risk to achieving its strategic 
priorities and service delivery. It does this by reviewing all matters concerning 
the development, maintenance and implementation of the ICO’s risk and 
governance management frameworks, including monitoring and reporting 
arrangements. 


In October 2020 the Audit and Risk Committee conducted a full review of all the 
ICO's risks and opportunities. In February 2021, the Management Board 
approved a new risk appetite statement. The Board does this on an annual basis. 
All activities within Directorate business plans are linked to risks or 
opportunities, which has ensured that they are considered even more regularly, 
along with clearly identifying actions to mitigate risks or exploit opportunities. 


The main new risks and opportunities identified during 2020/21 were: 


e Staff welfare and wellbeing because of COVID-19; 
e the COVID-19 pandemic and resulting working practices; 
e the future role and structure of the ICO; 


e the ICO's international position following the conclusion of the UK's exit 
from the European Union; 


e managing the ICO's reputation; 


In addition, throughout 2020/21, we continued to work to mitigate the key 
corporate risks to achieving our six strategic goals. 


Key risk area Mitigation approach 

Capacity and capability - ensuring The ICO's Capacity and Capability 
that we have the right knowledge Plan, focussed on ensuring the 

and skills to deliver our plans and organisation is fit for the future. 
strategies. Monitoring capacity and demand, in 


relation to the impact of the COVID- 
19 pandemic. Reviewing processes 
and enhancing productivity where 
possible using new technologies 
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Key risk area Mitigation approach 

Ensuring the ICO complies with its Three lines of defence model 

legal and other obligations as a including the introduction of a Risk 
regulator, employer and public and Governance Board. Internal and 
authority. external audit. Suite of internal 


policies covering financial, 
procurement, HR, corporate, 
information governance and security 
obligations. Audit and Risk 
Committee oversight of the ICO’s 
internal controls framework. 


Financial resilience resulting from the Close monitoring of budget and 


economic impact of the COVID-19 forecast. Cash flow modelling. 

pandemic. Identification of efficiencies and 
savings 

Business continuity response to a Business continuity plans in place. 

major event that impacts the ICO’s Lessons learned review undertaken 

infrastructure and/or resources regarding the immediate response to 


COVID-19. Ongoing review of future 
ways of working. 


The main area of uncertainty for the future, at the time of drafting this report, is 
the continuing impact of the COVID-19 pandemic. This pandemic has a direct 
impact on the ICO's operations and priorities, as well as the resourcing and 
financing of the organisation. This risk will continue to be closely monitored and 
our financial planning will continue to consider the economic impact of the 
pandemic. 


Sources of assurance 


As Accounting Officer, the Information Commissioner has responsibility for 
reviewing the effectiveness of the system of internal control, including the risk 
management framework. This review is informed by the work of the internal 
auditors and senior managers who have responsibility for the development and 
maintenance of the internal control framework, and comments made by the 
external auditors in their management letter and other reports. 


2020/21 was the third year of our contract for internal audit with Mazars, who 
were contracted to provide our internal audit services until June 2021. A new 
contract was awarded to Mazars in February 2021 to extend their internal audit 
services until June 2023. In their annual report, they gave an opinion that the 
framework of governance, risk management, and control is moderate in its 
overall adequacy and effectiveness ("moderate" is the second highest of the four 
ratings offered by Mazars, who provide annual report opinions of "substantial", 
"moderate", "limited" and "unsatisfactory". "Moderate" is defined as "some 
improvements are required to enhance the adequacy and effectiveness of the 
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framework of governance, risk management and control.”) Mazars stated that 
“On the basis of our audit work, our opinion on the framework of governance, 
risk management, and control is Moderate in its overall adequacy and 
effectiveness. Some improvements are required to enhance the adequacy and 
effectiveness of the framework of governance, risk management and control. We 
highlighted weaknesses in the area of stakeholder management where two 
fundamental recommendations were made. We also noted good practice in other 
areas, including our audits of fees and income, information governance, and 
investigations and enforcement, which provided substantial assurance opinions. 
All matters have been discussed with management, to whom we have made 
recommendations. All of these have been, or are in the process of being 
addressed, as detailed in our individual reports.” 


Mazars made 29 recommendations in their audits during 2020/21. There were 
also five audit recommendations from audits in 2019/20 which had not been due 
for completion during 2019/20. At year end, Mazars reviewed progress with 
these 34 recommendations, and confirmed that all 25 which were due for 
completion during 2020/21 have been completed. Nine recommendations were 
not yet due for completion at the time of drafting this report. 


The Information Commissioner is satisfied that a plan to address weaknesses in 
the system of internal control and to ensure continuous improvement of the 
system is in place. The Information Commissioner is also satisfied that all 
material risks have been identified and that those risks are being effectively 
managed. 
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Remuneration policy 


Schedule 4 to the DPA 2018 states that the salary of the Information 
Commissioner be specified by a Resolution of the House of Commons. In March 
2018 the House resolved that the salary would be £160k per annum from 1 April 
2018. The salary is paid directly from the Consolidated Fund. In addition to this 
salary, the Information Commissioner also receives a non-consolidated, non- 
pensionable annual allowance of £20,000. 


In January 2018 the ICO was granted pay flexibility for the pay remit years from 
2018/19 to 2020/21, to enable it to review its pay and grading structure. During 
this period the ICO has the flexibility to determine the levels of pay necessary 
for it to maintain and recruit the expertise it needs to fulfil its functions as a 
supervisory authority. In exercising this flexibility, the assumption is that 
matching market medians will form the basis of the ICO’s pay levels for each 
grade in the organisation. As a result, the ICO has been able to implement 
salary rates which more effectively compete with the labour markets in which we 
operate. 


In making decisions on remuneration the Information Commissioner has regard 
to the following considerations: 


e the UK economic climate and public finances; 
e the need to recruit, retain and motivate suitably able and qualified people; 


e Independently benchmarked pay data for the public sector and 
comparable national independent regulators; 


e the funds available to the Information Commissioner; and 
e Treasury pay guidance. 


In matters relating to Executive Team pay, the Information Commissioner also 
has regard to the recommendations of the ICO’s independent Remuneration 
Advisory Panel (established from February 2019). 


During 2019/20, as part of delivering pay flexibility, a career progression 
framework was implemented. This framework creates a means by which the ICO 
can recognise and reward staff, based on sustained increases in personal 
competence, contribution and impact within roles, aligned to the organisation’s 
vision and values. The framework continued in 2020/21 and has allowed us to 
attract and retain high calibre staff. 


When the period of pay flexibility concludes (at the end of the 2020/21 pay remit 
year in June 2021), the ICO will revert to being subject to standard public sector 
pay policy guidelines issued by HM Treasury, unless otherwise negotiated. As 
such, rates of any annual pay reviews will be determined by the Information 
Commissioner in consultation with the Secretary of State and Treasury. 
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Staff appointments are made on merit based on fair and open competition and, 
unless otherwise stated, are open-ended. Individuals who are made redundant 
are entitled to receive compensation as set out in the Civil Service Compensation 
Scheme. 


Non-Executive Directors are appointed for an initial term of three years, 
renewable by the Information Commissioner by mutual agreement. 


In 2020/21 we typically expected our Non-Executive Directors to contribute 26 
days per annum to their role at the ICO. This expectation increased by 10 days 
in 2020/21, in line with the increased role for the Management Board, which was 
agreed during our 2019/20 governance review. Non-Executive Directors receive 
an annual fee of £22,464. 


In 2020/21 we also introduced a new role of Senior Independent Director. We 
typically expect our Senior Independent Director to contribute 30 days per 
annum to their role at the ICO. They receive an annual fee of £25,920. 


There may also be times when, due to the workload of the Management Board, 
our Non-Executive Directors need to contribute significantly more time than we 
typically expect to their role at the ICO. In these circumstances, our Non- 
Executive Directors will be paid for the additional days which they contribute. 
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Remuneration and staff report 


Salary and pension entitlements (audited) 


Details of the remuneration and pension interests of the Information 
Commissioner and her most senior officials are provided below. 


Remuneration (salary, bonuses, benefits in kind and pensions) 


Salary Pension 
benefits 
Benefits in Compensation (£'000) 
kind (-nearest schemes (-nearest 
Officials (£'000) £100) (£'000) £1,000) Total (£'000) 
2020/ 2019/ 2020/ 2019/ 2020/ 2019/ 2020/ 2019/ 2020/ 2019/ 
24 20 241 20 21 20 21 20 21 20 
Elizabeth 
Denham p 2 i i : 7 61 61 240- 240- 
Information noted note 1 245 245 
Commissioner 
Paul Arnold 
Deputy Chief 
Executive and 120- 115- 7 7 i : 1 J5 195- 190- 
Chief 125 120 200 195 
Operating 
Officer 
Stephen 
aonne 20-25 20-25 
Executive (full (full 
Director year: E - 2 a » = - year z 
(Regulatory 120- 120- 
Futures and 125) 125) 
Innovation) 
note 2 
James Dipple- 
Johnstone 
Deputy 
AN 120- 115- 23 140- 135- 
Commissioner 125 120 - - ai £ 19.8 noted 145 140 
(Chief 
Regulator 
Officer) 
Simon 
McDougall 
Deputy 
Commissioner 
120- 115- 303 170- 415- 
(Executive is 129 200 100 - - 48 — ques 175 420 
Director - 
Technology 
and 
Innovation) 
Steve Wood 
Deputy 
ASR 110- 105- 165- 150- 
Commissioner 115 110 - - - S 56 49 170 155 


(Regulatory 
Strategy) 
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Salary Pension 
benefits 
Benefits in Compensation (£'000) 
kind (-nearest schemes (-nearest 
Officials (£'000) £100) (£'000) £1,000) Total (£'000) 


2020/ 2019/ 2020/ 2019/ 2020/ 2019/ 2020/ 2019/  2020/ 2019/ 
21 20 21 20 21 20 21 20 21 20 


Ailsa Beaton 

Non- 

Executive 30-35 20-25 S x - = - = 30-35 20-25 
Board 

Member 


David Cooke 

Non- 

Executive 20-25 10-15 - - - - - - 20-25 10-15 
Board 

Member 


Peter Hustinx 

Non- 

Executive 20-25 10-15 - - - - - - 20-25 10-15 
Board 

Member 


Jane McCall 

Non- 

Executive 20-25 15-20 = = x s - - 20-25 15-20 
Board 

Member 


Nicola Wood 
Senior 
Independent 
Director 


25-30 10-15 = = = - = - 25-30 10-15 


Notes: 


1. This includes a non-consolidated, non-pensionable annual allowance of £20,000. 
2. Appointed February 2021. 


3. James Dipple-Johnstone is a member of a Partnership pension scheme. We are required to 
disclose Employer contributions to pensions to the nearest £100. 


4. This figure includes the transfer in of another pension. 


The value of pension benefits accrued during the year is calculated as the real 
increase in pension multiplied by 20 plus the real increase in any lump sum, less 
the contributions made by the individual. The real increases exclude increases 
due to inflation or any increase or decrease due to a transfer of pension rights. 


Salary comprises gross salary and any other allowance to the extent that it is 
subject to UK taxation. There were no bonus payments to Board Members in 
2020/21. 


All benefits in kind relate to the ICO’s contribution to the ICO’s health care plan 
provided by BHSF. 
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Pension Benefits (audited) 

Accrued pension Real increase in CETV at CETV at Real 
at pension age pension and 31 March 31 March increase in 
as of 31 March related 2021 2020 CETV 

2021 and related lump sum at 

lump sum pension age 
£'000 £'000 £'000 £'000 £'000 
Elizabeth Denham 15-20 2.525 286 215 48 
Information 
Commissioner 
Paul Arnold 35-40 plus a lump 2.5-5 plus a 609 544 40 
Deputy CEO 75-80 lump sum of 
2.5-5 
Stephen Bonner - - - - - 
Executive Director 
(Regulatory Futures 
and Innovation) 
James Dipple- 5 = - - = 
Johnstone 
Deputy Commissioner 
(Regulatory 
Supervision)! 
Simon McDougall 20-25 2.5-5 222 183 23 
Executive Director 
(Technology and 
Innovation) 
Steve Wood 25-30 2.5*5 398 347 32 


Deputy Commissioner 
(Regulatory Strategy) 


Notes: 


1. Member of partnership pension scheme. 
The Cash Equivalent Transfer Value (CETV) figures are provided by MyCSP, the ICO's 
Approved Pensions Administration Centre, who have assured the ICO that they have been 
correctly calculated following guidance provided by the Government Actuary's Department. 


Partnership pensions 


There is one member of staff included in the list of the Commissioner's most 
senior staff who has a partnership pension. Please see note 3 to the table on the 
previous page. 


Civil Service pensions 


Further details about the Civil Service pension arrangements are available at 
civilservicepensionscheme.org.uk. 


Cash Equivalent Transfer Values (CETV) 


A CETV is the actuarially assessed capitalised value of the pension scheme 
benefits accrued by a member at a particular point in time. The benefits valued 
are the member's accrued benefits and any contingent spouse's pension payable 
from the scheme. It represents the amount paid made by a pension scheme or 
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arrangement to secure pension benefits in another pension scheme or 
arrangement when the member leaves a scheme and chooses to transfer the 
benefits accrued in their former scheme. 


The pension figures shown relate to the benefits that the individual has accrued 
because of their total membership of the pension scheme, not just their service 
in a capacity to which disclosure applies. 


The figures include the value of any pension benefit in another scheme or 
arrangement that the individual has transferred to the Civil Service pension 
arrangements. They also include any additional pension benefit accrued to the 
member because of their purchasing additional pension benefits at their own 
cost. CETV’s are worked out in accordance with The Occupational Pensions 
Schemes (Transfer Values) (Amendment) Regulations 2008 and do not take 
account of any actual or potential reduction to benefits resulting from Lifetime 
Allowance Tax which may be due when pension benefits are taken. 


Real increase in CETV 


This reflects the increase in CETV that is funded by the employer. It does not 
include the increase in accrued pension due to inflation, contributions paid by 
the employee (including the value of any benefits transferred from another 
pension scheme or arrangement) and uses common market valuation factors for 
the start and end of the period. 


Pay multiples (audited) 


Reporting bodies are required to disclose the relationship between the 
remuneration of the highest paid director in their organisation and the median 
remuneration of the organisation’s workforce. The Information Commissioner is 
deemed to be the highest paid director and no member of staff receives 
remuneration higher than the highest paid director. 


The banded remuneration of the highest paid director of the ICO in the financial 
year 2020/21 was £180k to £185k (2019/20: £180k to £185k). This was 5.15 
times (2019/20: 5.9 times) the median remuneration of the workforce, which 
was £34,948 (2019/20: £30,626). The median total remuneration is calculated 
by ranking the annual full-time equivalent salary as of 31 March 2021 for each 
member of staff. 


Staff remuneration ranged from £22,925 to £180,000 (2019/20: £19,299 to 
£180,000). 


Total remuneration includes salary, non-consolidated performance-related pay 
and benefits-in-kind. It does not include severance payments, employer pension 
contributions or the CETV of pensions. 
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During 2020/21, as stated above, the ICO had permission to exercise pay 
flexibility, although it still adheres to the principle of government pay restraint 
policies. 


Number of senior civil service staff (or equivalent) by band 


The Information Commissioner, the Deputy CEO and Chief Operating Officer, the 
Chief Regulatory Officer, the Deputy Commissioner (Executive Director - 
Regulatory Strategy), the Deputy Commissioner (Executive Director - 
Technology and Innovation), the Executive Director (Strategic Change and 
Transformation), the Executive Director (Regulatory Futures and Innovation) and 
the five Non-Executive Directors are the only staff categorised as being ata 
grade equivalent to the senior civil service. 


Staff composition 


As of the end of 2020/21 there were 11 members of the Management Board, of 
whom seven were male and four were female. In total in the ICO at the end of 
2020/21, 37.8% of staff were male and 62.2% female. 


Sickness absence 


The average number of sick days taken per person during the year was 6.0 days 
(2019/20: 7.2 days). 


Staff turnover 


The staff turnover for the ICO during 2020/21 was 3.5% (2019/20: 7.7%). Staff 
turnover has consistently reduced since 2017/18 (where the rate was 13.5%). 
This has partly been because of the ICO’s continual growth throughout this 
period, but the pay flexibility we were granted in 2018 has enabled us to retain 
staff who might otherwise have left for better salaries elsewhere. The retention 
of experienced staff was a key driver in our business case to the Treasury. The 
COVID-19 pandemic is also doubtlessly a contributory factor to the very low 
turnover rate in 2020/21. 


Staff engagement 


The level of engagement in the ICO’s staff surveys during 2020/21 was 84% 
(2019/20: 82%). Our surveys this year had a focus on staff experiences and 
wellbeing during the COVID-19 pandemic, which is likely to contribute to the 
high level of engagement. 
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Staff policies relating to the employment of disabled persons 


The ICO’s recruitment processes ensure that shortlisting managers only assess 
the applicant’s skills, knowledge and experience for the job. All personal 
information is removed from applications before shortlisting. 


The ICO applies the Disability Confident standard for job applicants who are 
disabled. It has also assisted in the continued employment of disabled people by 
providing a work environment that is accessible and equipment that allows 
people to perform effectively. Our disabled staff are given equal access to 
training and promotion opportunities and adjustments are made to work 
arrangements, work patterns and procedures to ensure that people who are, or 
become, disabled, are treated fairly and can continue to contribute to the ICO’s 
aims. 


Staff numbers and costs (audited) 


As of 31 March 2021 the ICO had 822 permanent staff (774.4 full time 
equivalents). 


Average number of full-time equivalents during 2020/21 


Permanently | Temporarily 2020/21 2019/20 
employed employed Total Total 
staff staff 
Directly 740 3:6 743.6 706.2 
employed 
Agency staff 0 43.5 43.5 20.7 
Total employed 740 47.1 787.1 726.9 
Staff costs 
Permanently 
pu 2020/21 2019/20 
ERR Others Total Total 
£000 £000 £000 
Wages and 30,232 2,049 32,281 29,008 
salaries 
Social security 3,225 - 3,225 2,942 
costs 
Other pension - 7,743 7,126 
costs 7,743 
Sub-total 41,200 2,049 43,249 39,076 
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Permanently 
oe 2020/21 2019/20 
RR Others Total Total 
£000 £000 £000 
Less recoveries (20) - 20 0 
in respect of 
outward 
secondments 
Total net costs 41,180 2,049 43,229 39,076 


Included in staff costs above are notional costs of £256k (2019/20: £256k) in 
respect of salary and pension entitlements of the Information Commissioner and 
the associated employers national insurance contributions (which are credited 
directly to the General Reserve), temporary agency staff costs of £1.503m 
(2019/20: £0.746m) and inward staff secondments of £546k (2019/20: £894k), 
as well as the amounts disclosed in the Remuneration section above. 


Expenditure on consultancy 


During 2020/21 there was expenditure totalling £404k on consultancy as defined 
in Cabinet Office spending controls guidance (2019/20: £665k). 


This expenditure primarily relates to development of the Age Appropriate Design 
Code, human resources, communications services and stakeholder research. 


Off-payroll engagements 


There were no off-payroll engagements during 2020/21. 


Exit packages (audited) 


Redundancy and other departure costs are paid in accordance with the 
provisions of the Civil Service Compensation Scheme, a statutory scheme made 
under the Superannuation Act 1972. Exit costs are accounted for in full in the 
year of departure. Where the Information Commissioner has agreed early 
retirements, the additional costs are met by the Information Commissioner and 
not by the Principal Civil Service Pension Scheme (PCSPS). Ill health retirement 
costs are met by the pension scheme and are not included in the table above. 


There were no compulsory redundancies in 2020/21 (2019/20: none) and no 
other exit packages. 


Ex-gratia payments made outside of the provisions of the Civil Service 
Compensation Scheme are agreed directly with the Treasury. 
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Trade union facility time 


Relevant union officials 


Number of employees who were 
relevant union officials during the 
relevant period 


Full time equivalent employee number 


Percentage of time spent on 
facility time 

0% 

1-50% 

51%-99% 

100% 


Percentage of pay bill spent on 
facility time 

Total cost of facility time 

Total pay bill 

Percentage 


Paid trade union activities 

Time spent on trade union activities as 
a percentage of total paid facility time 
hours 


2020/21 
15 


1.30 


2020/21 


14 


2020/21 


£38,883.40 
£32,281,000 
0.12% 


2020/21 
20% 


2019/20 
14 


0.49 


2019/20 


14 


2019/20 


£15,679.68 
£29,006,00 
0.05% 


2019/20 
20% 
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Regularity of expenditure (audited) 


There is no regularity of expenditure issues. 


Fees and charges (audited) 


Information on fees collected from data controllers who notify their processing of 
personal data under the DPA is provided in the Financial Performance Summary, 
as part of the performance report earlier in this document. Further information 
on data protection fees is also set out in notes 1.5 and 2 to the financial 
statements. 


Remote contingent liabilities (audited) 


Please see note 18 to the accounts. 


Long-term expenditure trends 


The ICO is collecting fees under the GDPR and Data Protection (Charges and 
Information) Regulations 2018 - this fee structure allows the ICO to better 
match fee income to the cost of regulation. Fee income is budgeted to be at 
approximately £63m this financial year, and is budgeted to increase to 
approximately £68m for the 2022/23 financial year. 


Grant-in-aid for our freedom of information work has remained at slightly more 
than £4m per annum. 


Elizabeth Denham 
22 June 2021 
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The Certificate and Report of the 
Comptroller and Auditor General to the 
Houses of Parliament 


Opinion on financial statements 


I certify that I have audited the financial statements of Information 
Commissioner's Office for the year ended 31 March 2021 under the Data 
Protection Act 2018. The financial statements comprise: The Statements of 
Comprehensive Net Expenditure, Financial Position, Cash Flows, Changes in 
Taxpayers’ Equity; and the related notes, including the significant accounting 
policies. These financial statements have been prepared under the accounting 
policies set out within them. The financial reporting framework that has been 
applied in their preparation is applicable law and International Financial 
Reporting Standards as interpreted by HM Treasury’s Government Financial 
Reporting Manual. 


I have also audited the information in the Accountability Report that is described 
in that report as having been audited. 


In my opinion, the financial statements: 


e give a true and fair view of the state of Information Commissioner’s 
Office’s affairs as at 31 March 2021 and of net expenditure for the year 
then ended; and 


e have been properly prepared in accordance with the Data Protection Act 
2018 and Secretary of State directions issued thereunder. 


Opinion on regularity 


In my opinion, in all material respects, the income and expenditure recorded in 
the financial statements have been applied to the purposes intended by 
Parliament and the financial transactions recorded in the financial statements 
conform to the authorities which govern them. 


Basis of opinions 


I conducted my audit in accordance with International Standards on Auditing 
(ISAs) (UK), applicable law and Practice Note 10 ‘Audit of Financial Statements 
of Public Sector Entities in the United Kingdom’. My responsibilities under those 
standards are further described in the Auditor’s responsibilities for the audit of 
the financial statements section of my certificate. 


100 


Annual report 2020/21 | Accountability report 


Those standards require me and my staff to comply with the Financial Reporting 
Council’s Revised Ethical Standard 2019. I have also elected to apply the ethical 
standards relevant to listed entities. I am independent of Information 
Commissioner's Office in accordance with the ethical requirements that are 
relevant to my audit of the financial statements in the UK. My staff and I have 
fulfilled our other ethical responsibilities in accordance with these requirements. 


I believe that the audit evidence I have obtained is sufficient and appropriate to 
provide a basis for my opinion. 


Conclusions relating to going concern 


In auditing the financial statements, I have concluded Information 
Commissioner's Office's use of the going concern basis of accounting in the 
preparation of the financial statements is appropriate. 


Based on the work I have performed, I have not identified any material 
uncertainties relating to events or conditions that, individually or collectively, 
may cast significant doubt on Information Commissioner's Office's ability to 
continue as a going concern for a period of at least twelve months from when 
the financial statements are authorised for issue. 


My responsibilities and the responsibilities of the Accounting Officer with respect 
to going concern are described in the relevant sections of this certificate. 


The going concern basis of accounting for Information Commissioner's Office is 
adopted in consideration of the requirements set out in International Financial 
Reporting Standards and interpreted by HM Treasury's Government Financial 
Reporting Manual, which require entities to adopt the going concern basis of 
accounting in the preparation of the financial statements where it anticipated 
that the services which they provide will continue into the future. 


Other information 


The other information comprises information included in the annual report, but 
does not include the parts of the Accountability Report described in that report 
as having been audited, the financial statements and my auditor's certificate 
thereon. The Accounting Officer is responsible for the other information. My 
opinion on the financial statements does not cover the other information and 
except to the extent otherwise explicitly stated in my certificate, I do not 
express any form of assurance conclusion thereon. In connection with my audit 
of the financial statements, my responsibility is to read the other information 
and, in doing so, consider whether the other information is materially 
inconsistent with the financial statements, or my knowledge obtained in the 
audit or otherwise appears to be materially misstated. If I identify such material 
inconsistencies or apparent material misstatements, I am required to determine 
whether this gives rise to a material misstatement in the financial statements 
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themselves. If, based on the work I have performed, I conclude that there is a 
material misstatement of this other information, I am required to report that 
fact. 


I have nothing to report in this regard. 


Opinion on other matters 
In my opinion, based on the work undertaken in the course of the audit: 


e the parts of the Accountability Report to be audited have been properly 
prepared in accordance with Secretary of State directions made under the 
Data Protection Act 2018; and 


e the information given in the Performance and Accountability Reports for 
the financial year for which the financial statements are prepared is 
consistent with the financial statements. 


Matters on which I report by exception 


In the light of the knowledge and understanding of Information Commissioner's 
Office and its environment obtained in the course of the audit, I have not 
identified material misstatements in the Performance and Accountability Reports. 
I have nothing to report in respect of the following matters which I report to you 
if, in my opinion: 


e adequate accounting records have not been kept or returns adequate for 
my audit have not been received from branches not visited by my staff; or 


e the financial statements and the parts of the Accountability Report to be 
audited are not in agreement with the accounting records and returns; or 


e certain disclosures of remuneration specified by HM Treasury's 
Government Financial Reporting Manual are not made; or 


e I have not received all of the information and explanations I require for my 
audit; or 


e the Governance Statement does not reflect compliance with HM Treasury's 
guidance. 


Responsibilities of the Accounting Officer for the financial 
statements 


As explained more fully in the Statement of the Information Commissioner's 
responsibilities, the Information Commissioner as Accounting Officer is 
responsible for: 
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e the preparation of the financial statements in accordance with the 
applicable financial reporting framework and for being satisfied that they 
give a true and fair view; 


e internal controls as the Accounting Officer determines is necessary to 
enable the preparation of financial statement to be free form material 
misstatement, whether due to fraud of error; 


e assessing Information Commissioner’s Office’s ability to continue as a 
going concern, disclosing, as applicable, matters related to going concern 
and using the going concern basis of accounting unless the Accounting 
Officer anticipates that the services provided by Information 
Commissioner's Office will not continue to be provided in the future. 


Auditor’s responsibilities for the audit of the financial 
statements 


My responsibility is to audit, certify and report on the financial statements in 
accordance with the Data Protection Act 2018. 


My objectives are to obtain reasonable assurance about whether the financial 
statements as a whole are free from material misstatement, whether due to 
fraud or error, and to issue a certificate that includes my opinion. Reasonable 
assurance is a high level of assurance but is not a guarantee that an audit 
conducted in accordance with ISAs (UK) will always detect a material 
misstatement when it exists. Misstatements can arise from fraud or error and 
are considered material if, individually or in the aggregate, they could 
reasonably be expected to influence the economic decisions of users taken on 
the basis of these financial statements. 


I design procedures in line with my responsibilities, outlined above, to detect 
material misstatements in respect of non-compliance with laws and regulation, 
including fraud. 


My procedures included the following: 


e Inquiring of management, Information Commissioner’s Office head of 
internal audit and those charged with governance, including obtaining and 
reviewing supporting documentation in respect of Information 
Commissioner’s Office policies and procedures relating to: 


o identifying, evaluating and complying with laws and regulations and 
whether they were aware of any instances of non-compliance; 


o detecting and responding to the risks of fraud and whether they 
have knowledge of any actual, suspected or alleged fraud; and 
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o the internal controls established to mitigate risks related to fraud or 
non-compliance with laws and regulations including Information 
Commissioner's Office's controls relating to the Data Protection Act 
2018, Managing Public Money and DCMS Management Agreement. 


discussing among the engagement team regarding how and where fraud 
might occur in the financial statements and any potential indicators of 
fraud. As part of this discussion, I identified potential for fraud in the 
following areas: revenue recognition, posting of unusual journals; bias in 
accounting estimates and significant unusual transactions. 


obtaining an understanding of the Information Commissioner's Office's 
framework of authority as well as other legal and regulatory frameworks 
that the Information Commissioner's Office operates in, focusing on those 
laws and regulations that had a direct effect on the financial statements or 
that had a fundamental effect on the operations of the Information 
Commissioner’s Office. The key laws and regulations I considered in this 
context included the Data Protection Act 2018, Government Resources & 
Accounts Act 2020, Managing Public Money, Civil Service Pay remit 
guidance, DCMS Management Agreement and tax Legislation. 


In addition to the above, my procedures to respond to identified risks included 
the following: 


reviewing the financial statement disclosures and testing to supporting 
documentation to assess compliance with relevant laws and regulations 
discussed above; 


enquiring of management and the Audit Committee concerning actual and 
potential litigation and claims; 

reading minutes of meetings of those charged with governance; 

in addressing the risk of fraud through management override of controls, 
testing the appropriateness of journal entries and other adjustments; 
assessing whether the judgements made in making accounting estimates 
are indicative of a potential bias; and evaluating the business rationale of 
any significant transactions that are unusual or outside the normal course 
of business. 


I also communicated relevant identified laws and regulations and potential fraud 
risks to all engagement team members and remained alert to any indications of 
fraud or non-compliance with laws and regulations throughout the audit. 


A further description of my responsibilities for the audit of the financial 
statements is located on the Financial Reporting Council's website at: 
www.frc.org.uk/auditorsresponsibilities. This description forms part of my 
certificate. 


In addition, I am required to obtain evidence sufficient to give reasonable 
assurance that the income and expenditure reported in the financial statements 
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have been applied to the purposes intended by Parliament and the financial 
transactions conform to the authorities which govern them. 


I communicate with those charged with governance regarding, among other 
matters, the planned scope and timing of the audit and significant audit findings, 
including any significant deficiencies in internal control that I identify during my 
audit. 


Report 
I have no observations to make on these financial statements. 


Gareth Davies 
Comptroller and Auditor General 6 July 2021 


National Audit Office, 

157-197 Buckingham Palace Road 
Victoria 

London SW1W 9SP 
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© 
Statement of comprehensive net 
expenditure 
for the year ended 31 March 2021 
2020/21 2019/20 
Note £'000 £'000 £'000 £'000 
Expenditure 
Staff costs 9 43,229 39,076 
Other expenditure 4 10,990 13,436 
Depreciation and other non-cash 4 2,205 13,195 2,241 15,677 
costs 
Total expenditure 56,424 54,753 
Income 
Income from activities 5a (53,405) (49,707) 
Net Expenditure 3,019 5,046 
Total comprehensive 
expenditure for the year 3,019 5,046 


ended 31 March 


Note: All income and expenditure relates to continuing operations. There was no other 


comprehensive expenditure for the year ended 31 March 2021 (31 March 2020 Nil) 


The notes on pages 112 to 133 form part of these financial statements. 
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Statement of financial position 


as at 31 March 2021 


Note 
Non-current assets 
Property, plant and equipment 6 
Right of use assets 7 
Intangible assets 8 
Total non-current assets 
Current assets 
Trade and other receivables 10 
Cash and cash equivalents 11 
Total current assets 
Total assets 
Current liabilities 
Trade and other payables 12 
Provisions 13 
Lease liability 14 
Non-current assets plus net 
current assets 
Non-current liabilities 
Provisions 13 
Lease liability 14 


Assets less liabilities 


Taxpayers’ equity 
Revaluation reserve 
General reserve 


Note: The notes on pages 112 to 133 form part of these financial statements. 


ao 


Elizabeth Denham 
22 June 2021 


31 March 2021 


£'000 £'000 
854 
2,502 
673 

4,029 
30,565 
16,114 

46,679 

50,708 

(39,909) 

QE) 

(1,374) 

9,411 

(859) 

(1,390) 

7,162 
7,162 

7,162 


31 March 2020 


£'000 


17073 
3,968 
688 


5990 
6,154 


£'000 


529 


11,544 


17,273 


(7,506) 
(911) 
(1,487) 


7,369 


(859) 
(2,759) 
EET 


San 
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Statement of cash flows 


for the year ended 31 March 2021 


Cash flows from operating activities 
Net expenditure 
Adjustment for non-cash items 


Decrease/(increase) in trade and other 
receivables 


Increase in trade payables 
Use of provisions 


Net cash inflow (outflow) from operating 
activities 


Cash flows from investing activities 
Purchase of property, plant and equipment 
Proceeds on sale of property, plant & equipment 
Purchase of intangible assets 

Net cash outflow from investing activities 


Cash flows from financing activities 
Right of use assets - Lease payments 
Grant-in-aid received from the DCMS 


Net cash inflow from financing activities 


Net increase/(decrease) in cash and cash 


equivalents during the year before adjustment for 


receipts and payments to the Consolidated Fund 


Receipts due to the Consolidated Fund which are 


outside the scope of the Information 
Commissioner's activities 


Payments of amounts due to the Consolidated 
Fund 


Net increase/(decrease) in cash and cash 
equivalents in the year after adjustment for 
receipts and payments to the Consolidated Fund 


Cash and cash equivalents at the start of the 


year 


2020/21 

Note £'000 
(3,019) 

E EE 3,411 
10 1,002 
112 1,404 
13 (911) 
1,887 

6 (239) 

0 

8 (265) 
(504) 

14 (1,562) 
17 6,173 
4,611 

5,994 

10,945 

(6,979) 

9,960 

6,154 


2019/20 
£'000 


(5,046) 
3,887 


(564) 


178 
(30) 


(1,575) 


(1,291) 
6,338 
5,047 


2/911 


"S99 


(1,657) 


95S 


5 LON 
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Cash and cash equivalents at the end of the 


1l 16,114 6,154 
year 


Note: The notes on pages 112 to 133 form part of these financial statements. 
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Statement of changes in taxpayers’ equity 
for the year ended 31 March 2021 


Note 
Balance at 31 March 2019 


Changes in tax payers’ equity 
2019/20 
Grant-in-aid from the DCMS 1.3 


Comprehensive expenditure for the 
year 


Non-cash charges - Information 
Commissioner’s salary costs 


Balance at 31 March 2020 


Changes in tax payers’ equity 
2020/21 
Grant-in-aid from the DCMS 


Comprehensive expenditure for the 
year 

Non-cash charges - Information 
Commissioner's salary costs 


Balance at 31 March 2021 


Revaluation 
reserve 
£'000 


General 
reserve 


£'000 
2,204 


6,338 


(5,046) 


256 


9. 


6,173 


(3,019) 


256 


7,162 


Note: The notes on pages 112 to 133 form part of these financial statements. 


Total 
reserves 


£'000 
2,204 


6,338 


(5,046) 


256 


3,732 


6,173 


(3,019) 


256 


7,162 
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Notes to the accounts 


. Statement of accounting policies 


These financial statements have been prepared on a going concern basis in 
accordance with the 2020/21 Government Financial Reporting Manual (FReM) 
issued by HM Treasury. The accounting policies contained in the FReM apply 
International Financial Reporting Standards (IFRS) as adapted or interpreted for 
the public sector context. Where the FReM permits a choice of accounting policy, 
the accounting policy which is judged most appropriate to the particular 
circumstances of the Information Commissioner for the purpose of giving a true 
and fair view has been selected. The particular policies adopted by the 
Information Commissioner are described below. They have been applied 
consistently in dealing with items that are considered material to the accounts. 


1.1. Accounting convention 
These accounts have been prepared under the historical cost convention 
modified to account for the revaluation of property, plant and equipment 
and intangible assets at their value to the business by reference to current 
costs. 


1.2. Disclosure of IFRS in issue but not yet effective 
The Information Commissioner has reviewed and concluded that there are 
no IFRSs in issue and effective yet that are applicable to the ICO. IFRS17 to 
the accounting treatment of issuing of insurance contracts and as such has 
no impact on the accounts of the Information Commissioner's Office. 


1.3. Grant-in-aid 
Grant-in-aid is received from the DCMS to fund expenditure on freedom of 
information work and is credited to the General Reserve on receipt. 


1.4. Cash and cash equivalents 
Cash and cash equivalents recorded in the Statement of Financial Position 
and Statement of Cash Flows include cash-in-hand, deposits held at call 
with banks, other short-term highly liquid investments and bank overdrafts. 


1.5. Income from activities and Consolidated Fund income 
Income collected under the Data Protection Act 2018 is surrendered to the 
DCMS as Consolidated Fund income, unless the DCMS (with the consent of 
the Treasury) has directed otherwise, in which case it is treated as Income 
from activities. There are three main types of income collected: 


Data protection notification fees 

Fees are collected from annual notification fees paid by data controllers 
required to notify their processing of personal data under the DPA 2018. 
The Information Commissioner has been directed to retain the fee income 
collected to fund data protection work and this is recognised in the 
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Statement of Comprehensive Net Expenditure as income. At the end of 
each year, the Information Commissioner may carry forward to the 
following year sufficient fee income to pay year-end creditors. Any fees in 
excess of the limits prescribed within the Management Agreement with 
DCMS are paid over to the Consolidated Fund. Under IFRS 15, if an entity 
does not satisfy a performance obligation over time, the performance 
obligation is satisfied at a point in time. As fees are recognised and used in 
the year in which they are received, then under IFRS 15 the performance 
obligations are considered to have been satisfied at a point in time. 


The ICO follows a five-step approach to recognising the fee income under 
IFRS15 this is as follows: 


Step 1 Identify Contract - In line with guidance from HMT, DP Fee income 
will be treated as a contract with customers. 


Step 2 Identify performance obligations - Based on the services that the 
ICO provide to both organisations (who are liable for the DP fee) and the 
general public, there are no specific performance obligations identifiable but 
rather an ongoing performance with no specific service available for one 
organisation over another. Services are based on (subject and caseload) 
priority and public risk, cases that come online through investigation 
channels and assurance, annual cycle of advice and guidance publication, 
technical advice and leadership. 


Step 3 Determine transaction price - The cost of the DP fee is based on the 
size and complexity of an organisation and is set by the Secretary of State 

based on consultation with the ICO on the forecasted costs of delivering all 

regulatory services to both organisations and the general public. 


Step 4 Allocate price to performance obligations - No specific performance 
obligations specific to one organisation, further than overall public body 
regulatory obligations, therefore there is no viable method of allocating a 
price to obligations (other than the fee cost in its entirety). 


Step 5 Recognise revenue when performance obligations are met - This is 
deemed to be at the point of registration. 


Civil monetary penalties 

The Information Commissioner can impose civil monetary penalties for 
serious breaches of the DPA of up to 4% of global turnover. For breaches of 
PECR, penalties of up to £500k can be imposed. A penalty can be reduced 
by 20% if paid within 30 days of being issued. The CMPs collected by the 
Information Commissioner are paid over to the Government's Consolidated 
Fund. 


The Information Commissioner can impose fines for not paying the data 
protection fee up to a maximum of £4,350 under the DPA 2018. 
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The Information Commissioner does not take action to enforce a civil 
monetary penalty unless and until the period specified in the notice as to 
when the penalty must be paid has expired and the penalty has not been 
paid, all relevant appeals against the monetary penalty notice and any 
variation of it have either been decided or withdrawn, and the period for 
the data controller to appeal against the monetary penalty and any 
variation of it has expired. 


Civil monetary penalties collected by the Information Commissioner are 
recognised on an accruals basis when issued. They are paid over to the 
Consolidated Fund, net of any early payment reduction when received. Civil 
monetary penalties are not recognised in the Statement of Comprehensive 
Net Expenditure but are treated as a receivable and payable in the 
Statement of Financial Position. Under IFRS 15 the revenue through fines 
and penalties is recognised as the fine is the equivalent of a taxable event, 
the revenue can be measured reliably, and it is probable that the fine will 
be paid. If the fines are subject to appeal they are not recognised until the 
appeal process is finalised and the fine is confirmed as valid. 


The amounts recognised are regularly reviewed and subsequently adjusted 
in the event that a civil monetary penalty is varied, cancelled, impaired or 
written off as irrecoverable. Amounts are written off as irrecoverable on the 
receipt of legal advice. Legal fees incurred in recovering debts are currently 
borne by the ICO. 


IFRS 9 requires determination of an amount in respect of expected credit 
losses, reflecting Management’s forward-looking assessment of the 
recoverability of debts. Under IFRS 9 expected credit losses within 12 
months of balance sheet date are accounted for initially and if significant 
increase in credit risk then expected lifetime losses recognised as 
appropriate. Such an impairment value has been incorporated into the 
financial statements this year. The impairment value is based on those CMP 
cases still being investigated by the Enforcement department at year-end 
and where the expectation of receiving any income from these CMPs has 
diminished over time, but where enforcement investigations are still 
ongoing 


Sundry receipts 

The Information Commissioner has been directed to retain certain sundry 
receipts such as other legislative funding, grants, management charges, 
reimbursed travel expenses and recovered legal costs. This is recognised in 
the Statement of Comprehensive Net Expenditure as income. 


The Information Commissioner has interpreted the Financial Reporting 
Manual (FReM) to mean that she is acting as a joint agent with the DCMS, 
and that income not directed to be retained as Income from Activities falls 
outside of normal operating activities and are not reported through the 
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1.6. 


1:7. 


1.8. 


1:9. 


Statement of Comprehensive Net Expenditure but disclosed separately 
within the notes to the accounts. This included receipts such as bank 
interest, which is paid to the Consolidated Fund. 


Notional costs 

The salary and pension entitlement of the Information Commissioner are 
paid directly from the Consolidated Fund and are included within staff costs 
and reversed with a corresponding credit to the General Reserve. 


Pensions 
Past and present employees are covered by the provisions of the Principal 
Civil Service Pensions Scheme. 


Property, plant and equipment 

Assets are classified as property, plant and equipment if they are intended 
for use on a continuing basis, and their original purchase cost, on an 
individual basis, is £2,000 or more, except for laptop and desktop 
computers, which are capitalised even when their individual cost is below 
£2,000. 


Property, plant and equipment (excluding assets under construction) is 
valued under a depreciated historical cost basis as a proxy for current value 
in existing use or fair value for assets that have short useful lives or low 
values. 


At each balance sheet date, the carrying amounts of property, plant and 
equipment and intangible assets are reviewed to determine whether there 
is any indication that those assets have suffered an impairment loss. If any 
such indication exists, the fair value of the asset is estimated in order to 
determine the impairment loss. Any impairment charge is recognised in the 
Statement of Comprehensive Net Expenditure account in the year in which 
it occurs. 


Depreciation 

Depreciation is provided on property, plant and equipment on a straight- 
line basis to write off the cost or valuation evenly over the asset's 
anticipated life. A full year's depreciation is charged in the year in which an 
asset is brought into service. No depreciation is charged in the year of 
disposal. The principal lives adopted are: 

Information Technology Between 5 and 10 years 

Plant and Machinery Between 5 and 10 years 

Leasehold improvements Over remainder of the property lease 


Right of use assets Over the remainder of the lease period 
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1.10. Intangible assets and amortisation 
Intangible assets are stated at the lower of replacement cost and 
recoverable amount. Computer software licences and their associated costs 
are capitalised as intangible assets where expenditure of £2,000 or more is 
incurred. Software licences are amortised over their useful economic life 
which is estimated as four years or the length of the contract, whichever is 
the shorter term. 


1.11. Leases 
IFRS 16 “Leases” has been implemented from 1 April 2019; this introduces 
a single lessee accounting model that requires a lessee to recognise assets 
and liabilities for all leases (apart from the exemptions included below). 


For government bodies reporting under the FReM, IFRS 16 was brought into 
effect on 1 April 2020 and replaced IAS 17 (Leases). DCMS elected, with 
HMT authority, to early adopt IFRS 16 (as adapted by the HMT’s IFRS 16 
leases application guidance). As part of the DCMS group, ICO therefore 
implemented from 1 April 2019. 


In respect of lessees, IFRS 16 removes the distinction between operating 
and finance leases and introduces a single accounting model that requires a 
lessee to recognise (‘right-of-use’) assets and lease liabilities. 


The definition of a lease has been updated under IFRS 16, there is more 
emphasis on being able to control of the use of asset identified in a 
contract. There are new requirements for variable lease payments such as 
RPI/CPI uplifts; and there is an accounting policy choice allowable to 
separate non-lease components. 


Implementation and Assumptions 


IAS 17 operating leases are included within our statement of financial 
position as a lease liability and right of use asset for the first time in 2019- 
20 with changes made through the general fund as a cumulative catch-up 
adjustment. The calculation of the lease liability and right of use assets are 
included below. 


The option to reassess whether a contract is, or contains, a lease at the 
date of initial application has not been used, the group, and so ICO, has 
used the practical expedient detailed in IFRS 16(C3).1. 


The group has expanded the definition of a lease to include arrangements 
with nil consideration. Peppercorn leases are examples of these, these are 
defined by HMT as lease payments significantly below market value. These 
assets are fair valued on initial recognition. On transition any differences 
between the discounted lease liability and the right of use asset are 
included through cumulative catch up. Any differences between the lease 
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liability and right of use asset for new leases after implementation of IFRS 
16 are recorded in income on the SoCNE. 


The group, and so ICO, has elected not to recognise right of use assets and 
lease liabilities for the following leases: 


e intangible assets. 
e non-lease components of contracts where applicable. 


e low value assets (these are determined to be in line with 
capitalisation thresholds on Property, Plant and Equipment except 
vehicles which have been deemed to be not of low value) and 


e leases with a lease term of 12 months or less. 
Policy applicable from 1 April 2019 


At inception of a contract, the ICO assesses whether a contract is, or 
contains, a lease. A contract is or contains a lease if the contract conveys 
the right to control the use of an identified asset for a period. This includes 
assets for which there is no consideration. To assess whether a contract 
conveys the right to control the use of an identified asset, the group 
assesses whether: 


e The contract involves the use of an identified asset. 


e The group has the right to obtain substantially all of the economic 
benefit from the use of the asset throughout the period of use and 


e The group has the right to direct the use of the asset. 


The policy is applied to contracts entered into, or changed, on or after 1 
April 2019. 


At inception or on reassessment of a contract that contains a lease 
component, the group allocates the consideration in the contract to each 
lease component on the basis of the relative standalone prices. 


The group assesses whether it is reasonably certain to exercise break 
options or extension options at the lease commencement date. The group 
reassesses this if there are significant events or changes in circumstances 
that were anticipated. 


Right of use assets 


On transition to IFRS16 the ICO recognises a right of use asset and a lease 
liability at the lease commencement date. The right-of-use asset is initially 
measured at the amount equal to the lease liability, adjusted by the 
amount of any prepaid or accrued lease liability (present value of minimum 
lease payments), and subsequently at the amount less accumulated 
depreciation and impairment losses, and adjusted for certain re- 
measurements of the lease liability. Right-of-use assets are held at current 
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cost in accordance with HMT IFRS 16 guidance. Depreciated historic cost is 
used as a proxy for current value as directed by HMT guidance on IFRS 16, 
including for property leases, because property leases are sufficient short in 
term and are not expected to fluctuate significantly due to changes in 
market prices. Lease payments only include the direct cost of the leases 
and do not include other variables. Lease terms are determined based on 
advice from the Government Property Unit and in accordance with the 
business needs of the ICO. 


The right-of-use asset is depreciated using the straight-line method from 
the commencement date to the earlier of the end of the useful life of the 
right-of-use asset or the end of the lease term. The estimated useful lives 
of the right-of-use assets are determined on the same basis of those of 
property plant and equipment assets. 


The group applies IAS 36 Impairment of Assets to determine whether the 
right-of-use asset is impaired and to account for any impairment loss 
identified. 


Lease liabilities 


The lease liability is initially measured at the present value of the lease 
payments that are not paid at the commencement date, discounted using 
the interest rate implicit in the lease or where that is not readily 
determinable, the discount rate as provided by HM Treasury of 1.99% for 
leases entered into prior to 31 Dec 2019 or 1.27% after 1 Jan 2020 or 
0.91% after 1 Jan 2021. The lease liability only includes the direct lease 
cost and excludes any service charges. The length of each lease is 
determined on signing the contractual terms following agreement with the 
landlord and after gaining permission from the Government Property Unit 


The lease payment is measured at amortised cost using the effective 
interest method. It is re-measured when there is a change in future lease 
payments arising from a change in the index or rate, if there is a change in 
the group’s estimates of the amount expected to be payable under a 
residual value guarantee, or if the group changes its assessment of whether 
it will exercise a purchase, extension or termination option. 


Lease payments included in the measurement of the lease liability comprise 
the following: 


e Fixed payments, including in-substance fixed payments. 


e Variable lease payments that depend on an index or a rate, initially 
measured using the index rate as at the commencement date. 


e Amounts expected to be payable under a residual value guarantee. 


e The exercise price under a purchase option that the group is 
reasonably certain to exercise, lease payments in an optional renewal 
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1.12. 


1.13. 


1.14. 


period if the ICO is reasonably certain to exercise an extension 
option, and penalties for early termination of a lease unless the ICO is 
reasonably certain not to terminate early. 


The lease liability is subsequently increased by the interest cost on the 
lease liability and decreased by lease payments made. It is re-measured 
when there is a change in the future lease payments arising from a change 
in an index or rate, a change in the estimate of the amount expected to be 
payable under a residual value guarantee, or as appropriate, changes in the 
assessment of whether a purchase or extension option is reasonably certain 
to be exercised or a termination option is reasonably certain not to be 
exercised. No lease liabilities have required to be remeasured in 2020-21 as 
a result of the criteria above. 


When the lease liability is re-measured, a corresponding adjustment is 
made to the right of use asset or recorded in the SoCNE if the carrying 
amount of the right of use asset is zero. 


ICO presents right of use assets that do not meet the definition of 
investment properties per IAS40 as right of use assets on the Statement of 
Financial Position. The lease liabilities are included within Lease liabilities 
within current and non-current liabilities on the Statement of Financial 
Position. 


Provisions 

Provisions are recognised when there is a present obligation as a result of a 
past event where it is probable that an outflow of resources will be required 
to settle the obligation and a reliable estimate of the amount of the 
obligation can be made. 


Value added tax 

The Information Commissioner is not registered for VAT as most activities 
of the Information Commissioner's Office are outside of the scope of VAT. 
VAT is charged to the relevant expenditure category or included in the 
capitalised purchase cost of non-current assets. 


Segmental reporting 
The policy for segmental reporting is set out in note 2 to the Financial 
statements. 
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2. Analysis of net expenditure by segment 
Data Freedom of Other grant- 2020/21 
protection information in-aid Total 
£'000 £'000 £'000 £'000 
Gross expenditure 50,25 4,003 2 AZAD 56,424 
Income (53,405) - - (53,405) 
Net expenditure (3,154) 4,003 2,170 3,019 
Data Freedom of Other grant- 2019/20 
protection information in-aid Total 
£'000 £'000 £'000 £'000 
Gross expenditure 48,415 3,750 2,588 54,753 
Income (49,707) 5 = (49,707) 
Net expenditure (1,292) 3,750 2,588 5,046 


Expenditure is classed as administrative expenditure except those costs 
associated with readiness for legislative changes which have been classified as 
programme. 


The analysis above is provided for fees and charges purposes and for the 
purpose of IFRS 8: Operating Segments. 


The factors used to identify the reportable segments of data protection and 
freedom of information are that the Commissioner’s main responsibilities were 
contained within the DPA 2018 and FOIA, and funding during 2019/20 and in 
prior years was provided for data protection work by collecting an annual 
registration fee from data controllers under the DPA, whilst funding for freedom 
of information is provided by a grant-in-aid from the DCMS. Other grant-in-Aid 
related to £500k for network infrastructure and systems regulation, £47k for 
electronic identification and trust services regulation, funding to support pension 
costs £1.458m and funding for Investigatory Powers Act 2016 moved from being 
funded by the Home Office to being funded by GIA from Q3 2020-21 £165k. 


The data protection notification fee was set by the Secretary of State, and in 
making any fee regulations under section 134 of the DPA 2018, as amended by 
paragraph 17 of Schedule 2 to FOIA, the Secretary of State had to have regard 
to the desirability of securing that the fees payable to the Commissioner were 
sufficient to offset the expenses incurred by the Commissioner, the Information 
Tribunal and any expenses of the Secretary of State in respect of the 
Commissioner of the Tribunal, and any prior deficits incurred, so far as 
attributable to the functions under the DPA 2018. 
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These accounts do not include the expenses incurred by the Information Tribunal 
or the Secretary of State in respect of the Commissioner, and therefore cannot 
be used to demonstrate that the data protection fees offset expenditure on data 
protection functions, as set out in the DPA 2018. 


Expenditure is apportioned between the data protection and freedom of 
information work on the basis of costs recorded in the ICO’s accounting system. 
This allocates expenditure to various cost centres across the organisation. A 
financial model is then applied to apportion expenditure between data protection 
and freedom of information on an actual basis, where possible, or by way of 
reasoned estimates where expenditure is shared. 


. Staff numbers and related costs 


Staff costs comprise: Permanently 
employed 2020/21 2019/20 
staff Others Total Total 
£'000 £'000 £'000 £'000 
Wages and salaries 30,232 2,049 32,281 29,008 
Social security costs 3225 - 37225 2,942 
Other pension costs 7,743 - 7,743 7,126 
Sub-total 41,200 2,049 43,249 39,076 
Less recoveries in respect (20) = (20) = 

of outward secondments 

Total net costs 41,180 2,049 43,229 39,076 


Included in staff costs above are notional costs of £256k (2019/20: £256k) in 
respect of salary and pension entitlements of the Information Commissioner and 
the associated employers national insurance contributions which are credited 
directly to the General Reserve, temporary agency staff costs of £1.503m 
(2019/20: £746k) and inward staff secondments of £546k (2019/20: £894k) as 
well as the amounts disclosed in the Remuneration Report. 


Average number of persons employed 


The average number of whole-time equivalent persons employed during the year 
was: 


Permanently Temporarily 


employed employed 2020/21 2019/20 

staff staff Total Total 

Directly employed 743.6 - 743.6 706.2 
Agency staff - 43.5 43.5 207 
Total employed 743.6 43.5 UBT oll 726.9 
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Pension arrangements 


The Principal Civil Service Pension Scheme (PCSPS) and the Civil Servant and 
Other Pension Scheme (CSOPS) - known as "alpha" - are unfunded multi- 
employer defined benefit schemes, but the Information Commissioner’s Office is 
unable to identify its share of the underlying assets and liabilities. 


The scheme actuary valued the PCSPS as at 31 March 2016. Details can be 
found in the resource accounts of the Cabinet Office Civil Superannuation 


(civilservice.gov.uk/pensions). 


For 2020/21 employers contributions of £7.727m (2019/20: £6.878m) were 
payable to the PCSPS at one of four rates in the range 20% to 24.5% of 
pensionable pay, based on salary bands. The Scheme's Actuary reviews 
employer contributions usually every four years following a full scheme 
valuation. The contribution rates are set to meet the cost of benefits accruing 
during 2020/21 to be paid when the member retires and not the benefits paid 
during the period to existing pensioners. 


Employees can opt to open a ‘Partnership’ account, a stakeholder pension with 
an employer contribution. Employers' contributions of £152k (2019/20: £196k), 
were paid to one or more of a panel of three appointed stakeholder pension 
providers. Employers’ contributions are age-related and range from 8% to 
14.75% of pensionable pay. In addition, employer contributions of £6k 
(2019/20: £6k), 0.8% of pensionable pay, were payable to the Principal Civil 
Service Pension Scheme to cover the cost of future provision of lump sum 
benefits on death in service and ill health retirement of these employees. 


Contributions due to partnership pension providers at the Statement of Financial 
Position date were £6k (2019/20: £6k). Contributions prepaid at this date were 
Enil (2019/20: £ Nil). 


Other pension costs include notional employers’ contributions of £53k (2019/20: 
£53k) in respect of notional costs in respect of the Information Commissioner. 


One individual retired early on health grounds during the year. 


{122 


Annual report 2020/21 | Financial statements 


4. Other expenditure 


2020/21 2019/20 
£'000 £'000 £'000 £'000 
Accommodation (Business rates and 774 879 
services) 
Rentals under operating leases ZA 661 
Office supplies and stationery 119 508 
Carriage and telecommunications 1FO55 60 
Travel and subsistence 43 983 
Staff recruitment 224 283 
Specialist assistance and policy research 1,364 17359 
Communications and external relations 280 529 
Legal costs 781 igi 
Learning and development, health and 476 500 
safety 
IT Service delivery costs 4,236 3,248 
Business development costs 726 2,962 
Audit fees 32 30 
Grants Fund 163 243 
10,990 13,436 
Non-cash items 
Depreciation 1,918 1,974 
Amortisation 280 236 
Loss on disposal of assets 7 Sil 
27205 2,241 
Total expenditure iS}, eS 15,677 
5. Income 
5a. Income from activities 
2020/21 2019/20 


£'000 £'000 £'000 £'000 


Fees 597205 48,712 
Sundry receipts 200 995 
53,405 49,707 
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5b. Consolidated Fund income 


Fees 
Collected under the DPA 


Retained under direction as Income from 
activities 


Civil monetary penalties - Investigations 
Penalties issued 

Early payment reductions 

Repaid following a successful appeal 


Uncollectable, cancelled after successful 
appeals 


Re-issued after appeal 
Impairments 


Civil monetary penalties - Non-payment 
of fees 


Penalties Issued 
Impairments 


Sundry receipts 

Receipts under the Proceeds of Crime Act 
Grant income (repaid) 

Bank interest received 

Brexit Funding 

Recovered legal fees 

Reimbursed travel expenses 

Conference fees 


Management Fee from Telephone Preference 
Service 


Income received from The Regulatory 
Pioneers Fund 


Income receipts under the Investigatory 
Powers Act 


Marketing income 


Sundry receipts retained under direction as 
Income from Activities 


Income payable to Consolidated Fund 


£'000 


53,205 


(53,205) 


41,959 
(239) 


(3,298) 


(444) 


(28) 


2020/21 
£'000 


DO OO 


SY) SAS: 


£'000 


48,712 


(48,712) 


2,409 
(281) 


(110) 


(2,000) 


287 


2019/20 


£'000 


18 
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& 
2020/21 2019/20 
£'000 £'000 £'000 £'000 
Balances held at the start of the year 3,191 4,543 
Income payable to the Consolidated Fund 37,978 305 
Payments to the Consolidated Fund (6,977) (P657) 
Balances held at the end of the year (note 34,192 3,191 
12) 
As set out in note 1.5 income payable to the Consolidated Fund does not form 
part of the Statement of Comprehensive Net Expenditure. Amounts retained 
under direction from the DCMS with the consent of the Treasury are treated as 
income from activities within the Statement of Comprehensive Net Expenditure. 
The amounts receivable for Civil Monetary Penalties at 31 March 2021 were 
£28.667m (2019/20: £2.456m) and the amounts payable for Civil Monetary 
Penalties were £33.969m (2019/20: £2.882m). 
The Civil Monetary Payment figure at the year-end date includes all Civil 
Monetary Payments unpaid at that date. 
6. Property, plant and equipment 
Informa- Assets 
tion Plant and Leasehold under 
technol- machin- improve- construc- 2021 2020 
ogy ery ments tion Total Total 
£'000 £'000 £'000 £'000 £'000 £'000 
Cost or 
valuation 
At 1 April 2020 7 992 242 2,760 5 10,534 11,216 
Additions 239 = = 2 239 543 
Transfers - - - - - (769) 
Disposals (57633) - - 20556599) (457) 
At 31 March 
2021 2m8 242 2,760 = 5,140 10,533 
Depreciation 
At 1 April 2020 6,875 153 2,432 = 9,460 () S37 7l 
Charged in year 326 38 88 - 452 508 
Disposals (5,626) - - - (5,626) (425) 
At 31 March 
2021 955 191 2,520 - 4,286 9,460 
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$ 
Informa- Assets 
tion Plant and Leasehold under 
technol- machin- improve- construc- 2021 2020 
ogy ery ments tion Total Total 
£'000 £'000 £'000 £'000 £'000 £'000 
Net book 
value at 31 
March 2021 563 5i 240 - 854 1,073 
Owned 563 51 240 2 854 1,073 
Net book 
value at 31 
March 2020 657 88 328 = = 1,073 
Property, plant and equipment (excluding assets under construction) is valued 
under a depreciated historical cost basis as a proxy for current value in existing 
use or fair value for assets that have short useful lives or low values. This is 
considered an appropriate model for all classes of assets as the majority have 
useful lives of five years or are considered an immaterial value. 
Included above are fully depreciated assets, in use with an original cost of 
£3.964m (2019/20: £5.686m). 
An amount of £769k was transferred from Asset under construction to Software 
licences in 2019/20. 
. Right of use assets 
Long leasehold 
land and 2021 2020 
buildings Total Total 
£'000 £'000 £'000 
Cost or valuation 
At 1 April 2020 5,434 5,434 = 
Right of use assets brought in under 
transition = - 4,279 
Additions - - 1,155 
At 31 March 2021 5,434 5,434 5,434 
Depreciation 
At 1 April 2020 1,466 1,466 5 
Charged in year 1,466 1,466 1,466 
At 31 March 2021 2,932 2,932 1,466 
Net book value at 31 March 2021 2,502 2,502 3,968 
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e 
Long leasehold 
land and 2021 2020 
buildings Total Total 
£'000 £'000 £'000 
Asset financing 
Owned 2,502 2,502 3,968 
Net book value at 31 March 2021 2,502 2,502 3,968 


The lease on the ICO main premises at Wycliffe House, Wilmslow expired on 1 
January 2017 and a new lease was signed with a break clause in five years. No 
new leases were entered into during this period. A provision has been made for 
dilapidations based upon the assessment by Avison Young (the trading name of 
GVA), commercial property advisers, dated January 2020 and March 2020. A full 


dilapidation report was completed across the full Wilmslow estate during 


2019/20: 


The ICO also occupies government property in Cardiff under Memorandum of 
Terms of Occupation agreement ending in 2024. Under this agreement, the ICO 
may have dilapidations liabilities at the end of the term of occupation, but these 


are considered immaterial to recognise further. The ICO occupation of 
government property in Edinburgh ended mid-2020 and there were no 
dilapidations liabilities at the end of the occupation. 


. Intangible assets 


Cost or valuation 
At 1 April 2020 
Additions 

Disposals 
Transfers 
Reclassifications 
At 31 March 2021 


Amortisation 

At 1 April 2020 
Charged in year 
Disposals 

At 31 March 2021 


Net book value at 31 March 
2021 


Software Assets under 
licences construction 


£'000 £'000 


4,210 
178 
(50) 


87 


87 
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Software Assets under 2021 2020 
licences construction Total Total 
£'000 £'000 £'000 £'000 

Asset financing 
Owned 586 87 673 688 
Net book value at 31 March 586 87 673 688 


2021 


An amount of £769k was transferred from Asset under construction to Software 
licences in 2019/20. 


9. Financial instruments 


As the cash requirements of the Information Commissioner are met through fees 
collected under the DPA 2018 and grant-in-aid provided by the DCMS, financial 
instruments play a more limited role in creating and managing risk than would 
apply to a non-public sector body. The Information Commissioner does not make 
use of any financial instruments beyond standard day to day banking. The 
Information Commissioner has no loans and does not use financial instruments 
to make investment. 


The financial instruments utilised relate to contracts to buy non-financial items in 
line with the Information Commissioner's expected purchase and usage 
requirements and the Information Commissioner is therefore exposed to little 
credit, liquidity or market risk. The credit risk connected to Civil Monetary 
Penalties is deemed to be low risk to the Information Commissioner. 


10. Trade receivables and other current assets 


31 March 31 March 
2021 2020 
£'000 £'000 
Amounts falling due within one 
year: 
Trade debtors 49 760 
Prepayments and accrued income 1,609 1,899 
Sub-total 1,658 2,659 
Consolidated Fund receipts due 15,224 4,703 
Less: amounts impaired (note 5b) (2,444) (2,000) 
Other 27 28 
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31 March 31 March 
2021 2020 
£'000 £'000 
Sub-total 12,807 2, 73i 
14,465 5290 
Amounts falling due later than one 
year: 
Trade debtors - - 
Prepayments and accrued income - - 
Sub-total - - 
Consolidated Fund receipts due 16,100 - 
Less: amounts impaired (note 5b) - - 
Other - - 
Sub-total 16,100 - 
16,100 - 
207565 5,390 


11. Cash and cash equivalents 


31 March 31 March 


2021 2020 
£'000 £'000 
Balance at 1 April 6,154 3,101 
Net change in cash and cash equivalent balances 9,960 57055 
Balance at 31 March 16,114 6,154 
Split: 
Commercial banks and cash in hand 12,514 4,616 
Government Banking Service 3,600 iL 5518) 
16,114 6,154 
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e 
12. Trade payables and other current liabilities 
31 March 31 March 
2021 2020 
£'000 £'000 
Amounts falling due within one year: 
Taxation and social security 868 V5 
Trade payables 908 994 
Other payables 2,287 ilr 261 
Accruals and deferred income 1,654 1,344 
Sub-total 57/1. 7/ 4,314 
Amount payable to government (note 5b) 13,092 MIO 
18,809 7505 
Amounts falling due later than one year: 
Taxation and social security =i = 
Trade payables = 5 
Other payables 5 = 
Accruals and deferred income = = 
Sub-total = = 
Amount payable to government (note 5b) 21,100 - 
39,909 7505 
The amount payable to the sponsor department represents the amount which 
will be due to the Consolidated Fund when all of the income due is collected. 
13. Provision for liabilities and charges 
Pay Award Dilapidations Early departure Bad debt 
costs 
2020 2019/ 2020/ 2019/ 2020/ 2019/ 2020/ 2019/ 
i Ail 20 2il! 20 Zu 20 21 20 
£'000 £'000 £'000 £'000 £'000 £'000  £'000 £'000 
Balance at 1 April Oui = 859 510 = 35 E = 
Provided in year 911 = 349 = (5) 14 = 
Provision utilised in (911) = = = = (30) > = 
year 
Balance at 31 March = 911 859 859 = = 14 = 
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e 
Analysis of expected timing of discounted flow: 
Pay award Dilapidations Early departure Bad debt 
costs 
2020 2019/ 2020 2019/ 2020/ 2019/ 2020/ 2019/ 
RI QO ff Bil 20 Zi 20 2l 20 
£'000 £'000 £'000  £'000 £'000 £'000  £'000  £'000 
Not later than one year - 911 - - - - 14 - 
Later than one year - - 859 859 = 5 = = 
and not later than five 
years 


Later than five years - - - = c E x 
Balance at 31 March - 911 859 859 - - 14 


Dilapidations' provision 


The lease on the ICO main premises at Wycliffe House, Wilmslow expired on 1 
January 2017 and a new lease was signed with a break clause in five years. No 
new leases were entered into during this period. A provision has been made for 
dilapidations based upon the assessment by Avison Young (the trading name of 
GVA), commercial property advisers, dated January 2020 and March 2020. A full 
dilapidation report was completed across the full Wilmslow estate during 
2019/20. 


The ICO also occupies government property in Cardiff under Memorandum of 
Terms of Occupation agreement ending in 2024. Under this agreement, the ICO 
may have dilapidations liabilities at the end of the term of occupation, but these 
are considered immaterial to recognise further. The ICO occupation of 
government property in Edinburgh ended mid-2020 and there were no 
dilapidations liabilities at the end of the occupation. 


Early departure costs 


The additional cost of benefits, beyond the normal PCSPS benefits in respect of 
employees who retire early, are provided for in full when the early departure 
decision is approved by establishing a provision for the estimated payments 
discounted by the Treasury discount rate. There were no early departure costs in 
2020/21 (2019/20 Nil). The estimated payments are provided by MyCSP. 
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14. Lease liabilities 


Maturity Analysis — contractual undiscounted cashflows 31 March 2021 

£'000 
Less than one year 1,443 
Between two and five years 1,543 


Later than five years z 


2,986 
Lease Liabilities included in the balance sheet 
Current 1,374 
Non-current 1,390 
2,764 
Movement in lease during the year 
As at 01 April 2020 4,246 
Interest charged to the income statement 80 
Lease Liability in relation to new leases = 
Lease rental payments (17562) 
2,764 


15. Capital commitments 


There were no capital commitments in the year ended 31 March 2021 (2019/20: 
£ Nil). 


16. Commitments under operating leases 


The 2019 presentation under IFRS 16 Leases includes all leases on balance sheet 
as Right of use assets with a corresponding lease liability, other than leases 
which are short leases (terms of 12 months or less) or low value leases (asset 
value of less than £5,000). Leases that qualify for these exemptions are included 
within the disclosure below for 2020. 


The future aggregate minimum lease payments under non-cancellable leases not 
accounted for elsewhere under IFRS 16 are as follows: 
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Total future minimum lease payments under 
operating leases are: 


Not later than one year 
Later than one year and not later than five years 
Later than five years 


31 March 2021 


£'000 


461 


31 March 2020 


£'000 


The minimum lease payments are determined from the relevant lease 


agreements and do not reflect possible increases as a result of market-based 


reviews. The lease expenditure charged to the Statement of Comprehensive Net 
Expenditure during the year is disclosed in note 4. 


17. Related party transactions 


The Information Commissioner confirms that she had no personal business 


interests which conflict with her responsibilities as Information Commissioner. 


During the financial year 2020/21 the DCMS was a related party to the 


Information Commissioner. 


During the year no related party transactions were entered into, with the 


exception of providing the Information Commissioner with grant-in-aid, other 


funding and the appropriation-in-aid of Civil Monetary Penalty and sundry 
receipts to the Ministry of Justice for surrender to the Consolidated Fund. 


In addition, the Information Commissioner has had various material transactions 


with other central government bodies, most of these transactions have been 


with the Principal Civil Service Pension Scheme (PCSPS). 


None of the key managerial staff or other related parties has undertaken any 
material transaction with the Information Commissioner during the year. 


18. Contingent liabilities 


There are no contingent liabilities at 31 March 2021 (31 March 2020: none). 


19. Events after the reporting period 


There were no events between the Statement of Financial Position date and the 
date the accounts were authorised for issue, which is interpreted as the date of 


the Certificate and Report of the Comptroller and Auditor General. 
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